--- /dev/null
+From e1ad1bd7cb77e80f35f0a111e7e0e566ea22658c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 20:36:43 +0200
+Subject: batman-adv: Avoid uninitialized chaddr when handling DHCP
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 303216e76dcab6049c9d42390b1032f0649a8206 ]
+
+The gateway client code can try to optimize the delivery of DHCP packets to
+avoid broadcasting them through the whole mesh. But also transmissions to
+the client can be optimized by looking up the destination via the chaddr of
+the DHCP packet.
+
+But the chaddr is currently only done when chaddr is fully inside the
+non-paged area of the skbuff. Otherwise it will not be initialized and the
+unoptimized path should have been taken.
+
+But the implementation didn't handle this correctly. It didn't retrieve the
+correct chaddr but still tried to perform the TT lookup with this
+uninitialized memory.
+
+Reported-by: syzbot+ab16e463b903f5a37036@syzkaller.appspotmail.com
+Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/gateway_client.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
+index 47df4c6789886..89c9097007c3a 100644
+--- a/net/batman-adv/gateway_client.c
++++ b/net/batman-adv/gateway_client.c
+@@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len,
+
+ chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET;
+ /* store the client address if the message is going to a client */
+- if (ret == BATADV_DHCP_TO_CLIENT &&
+- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) {
++ if (ret == BATADV_DHCP_TO_CLIENT) {
++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN))
++ return BATADV_DHCP_NO;
++
+ /* check if the DHCP packet carries an Ethernet DHCP */
+ p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET;
+ if (*p != BATADV_DHCP_HTYPE_ETHERNET)
+--
+2.25.1
+
--- /dev/null
+From a9ab2b125f5ac0643e92b3a541fb0f6e85c2a75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 17:46:10 +0300
+Subject: batman-adv: bla: use netif_rx_ni when not in interrupt context
+
+From: Jussi Kivilinna <jussi.kivilinna@haltian.com>
+
+[ Upstream commit 279e89b2281af3b1a9f04906e157992c19c9f163 ]
+
+batadv_bla_send_claim() gets called from worker thread context through
+batadv_bla_periodic_work(), thus netif_rx_ni needs to be used in that
+case. This fixes "NOHZ: local_softirq_pending 08" log messages seen
+when batman-adv is enabled.
+
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@haltian.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 663a53b6d36e6..5f6309ade1ea1 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -437,7 +437,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac,
+ batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
+ skb->len + ETH_HLEN);
+
+- netif_rx(skb);
++ if (in_interrupt())
++ netif_rx(skb);
++ else
++ netif_rx_ni(skb);
+ out:
+ if (primary_if)
+ batadv_hardif_put(primary_if);
+--
+2.25.1
+
--- /dev/null
+From aa774a275255cb1bf521306976e68b8412ea61c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 14:28:08 +0200
+Subject: batman-adv: Fix own OGM check in aggregated OGMs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+[ Upstream commit d8bf0c01642275c7dca1e5d02c34e4199c200b1f ]
+
+The own OGM check is currently misplaced and can lead to the following
+issues:
+
+For one thing we might receive an aggregated OGM from a neighbor node
+which has our own OGM in the first place. We would then not only skip
+our own OGM but erroneously also any other, following OGM in the
+aggregate.
+
+For another, we might receive an OGM aggregate which has our own OGM in
+a place other then the first one. Then we would wrongly not skip this
+OGM, leading to populating the orginator and gateway table with ourself.
+
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_v_ogm.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
+index a9e7540c56918..3165f6ff8ee71 100644
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -878,6 +878,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset,
+ ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl,
+ ogm_packet->version, ntohs(ogm_packet->tvlv_len));
+
++ if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) {
++ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
++ "Drop packet: originator packet from ourself\n");
++ return;
++ }
++
+ /* If the throughput metric is 0, immediately drop the packet. No need
+ * to create orig_node / neigh_node for an unusable route.
+ */
+@@ -1005,11 +1011,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
+ if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
+ goto free_skb;
+
+- ogm_packet = (struct batadv_ogm2_packet *)skb->data;
+-
+- if (batadv_is_my_mac(bat_priv, ogm_packet->orig))
+- goto free_skb;
+-
+ batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX);
+ batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES,
+ skb->len + ETH_HLEN);
+--
+2.25.1
+
--- /dev/null
+From 0a3018223231a09b7078f993e11992de831c5a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 12:40:07 -0700
+Subject: bnxt: don't enable NAPI until rings are ready
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 96ecdcc992eb7f468b2cf829b0f5408a1fad4668 ]
+
+Netpoll can try to poll napi as soon as napi_enable() is called.
+It crashes trying to access a doorbell which is still NULL:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ CPU: 59 PID: 6039 Comm: ethtool Kdump: loaded Tainted: G S 5.9.0-rc1-00469-g5fd99b5d9950-dirty #26
+ RIP: 0010:bnxt_poll+0x121/0x1c0
+ Code: c4 20 44 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 41 8b 86 a0 01 00 00 41 23 85 18 01 00 00 49 8b 96 a8 01 00 00 0d 00 00 00 24 <89> 02
+41 f6 45 77 02 74 cb 49 8b ae d8 01 00 00 31 c0 c7 44 24 1a
+ netpoll_poll_dev+0xbd/0x1a0
+ __netpoll_send_skb+0x1b2/0x210
+ netpoll_send_udp+0x2c9/0x406
+ write_ext_msg+0x1d7/0x1f0
+ console_unlock+0x23c/0x520
+ vprintk_emit+0xe0/0x1d0
+ printk+0x58/0x6f
+ x86_vector_activate.cold+0xf/0x46
+ __irq_domain_activate_irq+0x50/0x80
+ __irq_domain_activate_irq+0x32/0x80
+ __irq_domain_activate_irq+0x32/0x80
+ irq_domain_activate_irq+0x25/0x40
+ __setup_irq+0x2d2/0x700
+ request_threaded_irq+0xfb/0x160
+ __bnxt_open_nic+0x3b1/0x750
+ bnxt_open_nic+0x19/0x30
+ ethtool_set_channels+0x1ac/0x220
+ dev_ethtool+0x11ba/0x2240
+ dev_ioctl+0x1cf/0x390
+ sock_do_ioctl+0x95/0x130
+
+Reported-by: Rob Sherwood <rsher@fb.com>
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 089d7b9cc409d..4030020f92be5 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9132,15 +9132,15 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
+ }
+ }
+
+- bnxt_enable_napi(bp);
+- bnxt_debug_dev_init(bp);
+-
+ rc = bnxt_init_nic(bp, irq_re_init);
+ if (rc) {
+ netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc);
+- goto open_err;
++ goto open_err_irq;
+ }
+
++ bnxt_enable_napi(bp);
++ bnxt_debug_dev_init(bp);
++
+ if (link_re_init) {
+ mutex_lock(&bp->link_lock);
+ rc = bnxt_update_phy_setting(bp);
+@@ -9171,10 +9171,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
+ bnxt_vf_reps_open(bp);
+ return 0;
+
+-open_err:
+- bnxt_debug_dev_exit(bp);
+- bnxt_disable_napi(bp);
+-
+ open_err_irq:
+ bnxt_del_napi(bp);
+
+--
+2.25.1
+
--- /dev/null
+From 976ac91e404046b5adea78818b54471e86c40a94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:08:33 -0400
+Subject: bnxt_en: Check for zero dir entries in NVRAM.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit dbbfa96ad920c50d58bcaefa57f5f33ceef9d00e ]
+
+If firmware goes into unstable state, HWRM_NVM_GET_DIR_INFO firmware
+command may return zero dir entries. Return error in such case to
+avoid zero length dma buffer request.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index de9b34a255cf1..fd01bcc8e28d4 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -2161,6 +2161,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data)
+ if (rc != 0)
+ return rc;
+
++ if (!dir_entries || !entry_length)
++ return -EIO;
++
+ /* Insert 2 bytes of directory info (count and size of entries) */
+ if (len < 2)
+ return -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From bb853f3d294aa87e3205a976749d3238ee43cfa9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:08:32 -0400
+Subject: bnxt_en: Don't query FW when netif_running() is false.
+
+From: Pavan Chebbi <pavan.chebbi@broadcom.com>
+
+[ Upstream commit c1c2d77408022a398a1a7c51cf20488c922629de ]
+
+In rare conditions like two stage OS installation, the
+ethtool's get_channels function may be called when the
+device is in D3 state, leading to uncorrectable PCI error.
+Check netif_running() first before making any query to FW
+which involves writing to BAR.
+
+Fixes: db4723b3cd2d ("bnxt_en: Check max_tx_scheduler_inputs value from firmware.")
+Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index 1f512e7c3d434..de9b34a255cf1 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -769,7 +769,7 @@ static void bnxt_get_channels(struct net_device *dev,
+ int max_tx_sch_inputs;
+
+ /* Get the most up-to-date max_tx_sch_inputs. */
+- if (BNXT_NEW_RM(bp))
++ if (netif_running(dev) && BNXT_NEW_RM(bp))
+ bnxt_hwrm_func_resc_qcaps(bp, false);
+ max_tx_sch_inputs = hw_resc->max_tx_sch_inputs;
+
+--
+2.25.1
+
--- /dev/null
+From f16b12f862f144d60b08003692ecddc45f176bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:08:37 -0400
+Subject: bnxt_en: fix HWRM error when querying VF temperature
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit 12cce90b934bf2b0ed9c339b4d5503e69954351a ]
+
+Firmware returns RESOURCE_ACCESS_DENIED for HWRM_TEMP_MONITORY_QUERY for
+VFs. This produces unpleasing error messages in the log when temp1_input
+is queried via the hwmon sysfs interface from a VF.
+
+The error is harmless and expected, so silence it and return unknown as
+the value. Since the device temperature is not particularly sensitive
+information, provide flexibility to change this policy in future by
+silencing the error rather than avoiding the HWRM call entirely for VFs.
+
+Fixes: cde49a42a9bb ("bnxt_en: Add hwmon sysfs support to read temperature")
+Cc: Marc Smith <msmith626@gmail.com>
+Reported-by: Marc Smith <msmith626@gmail.com>
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 16462d21fea38..089d7b9cc409d 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8938,16 +8938,19 @@ static ssize_t bnxt_show_temp(struct device *dev,
+ struct hwrm_temp_monitor_query_input req = {0};
+ struct hwrm_temp_monitor_query_output *resp;
+ struct bnxt *bp = dev_get_drvdata(dev);
+- u32 temp = 0;
++ u32 len = 0;
+
+ resp = bp->hwrm_cmd_resp_addr;
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1);
+ mutex_lock(&bp->hwrm_cmd_lock);
+- if (!_hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
+- temp = resp->temp * 1000; /* display millidegree */
++ if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
++ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */
+ mutex_unlock(&bp->hwrm_cmd_lock);
+
+- return sprintf(buf, "%u\n", temp);
++ if (len)
++ return len;
++
++ return sprintf(buf, "unknown\n");
+ }
+ static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0);
+
+--
+2.25.1
+
--- /dev/null
+From 2dbc14c8edecb6a9488bd3cdb2b3738f27bfaba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:08:35 -0400
+Subject: bnxt_en: Fix PCI AER error recovery flow
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit df3875ec550396974b1d8a518bd120d034738236 ]
+
+When a PCI error is detected the PCI state could be corrupt, save
+the PCI state after initialization and restore it after the slot
+reset.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 2cbfe0cd7eefa..7cb74d7a78e3c 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11900,6 +11900,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ (long)pci_resource_start(pdev, 0), dev->dev_addr);
+ pcie_print_link_status(pdev);
+
++ pci_save_state(pdev);
+ return 0;
+
+ init_err_cleanup:
+@@ -12066,6 +12067,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev)
+ "Cannot re-enable PCI device after reset.\n");
+ } else {
+ pci_set_master(pdev);
++ pci_restore_state(pdev);
++ pci_save_state(pdev);
+
+ err = bnxt_hwrm_func_reset(bp);
+ if (!err && netif_running(netdev))
+--
+2.25.1
+
--- /dev/null
+From 1ed14856dbc2fd0023ea79392aad1e6e8e8a42b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:08:36 -0400
+Subject: bnxt_en: Fix possible crash in bnxt_fw_reset_task().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit b148bb238c02f0c7797efed026e9bba5892d2172 ]
+
+bnxt_fw_reset_task() is run from a delayed workqueue. The current
+code is not cancelling the workqueue in the driver's .remove()
+method and it can potentially crash if the device is removed with
+the workqueue still pending.
+
+The fix is to clear the BNXT_STATE_IN_FW_RESET flag and then cancel
+the delayed workqueue in bnxt_remove_one(). bnxt_queue_fw_reset_work()
+also needs to check that this flag is set before scheduling. This
+will guarantee that no rescheduling will be done after it is cancelled.
+
+Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.")
+Reviewed-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 7cb74d7a78e3c..16462d21fea38 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1143,6 +1143,9 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+
+ static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay)
+ {
++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)))
++ return;
++
+ if (BNXT_PF(bp))
+ queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay);
+ else
+@@ -1159,10 +1162,12 @@ static void bnxt_queue_sp_work(struct bnxt *bp)
+
+ static void bnxt_cancel_sp_work(struct bnxt *bp)
+ {
+- if (BNXT_PF(bp))
++ if (BNXT_PF(bp)) {
+ flush_workqueue(bnxt_pf_wq);
+- else
++ } else {
+ cancel_work_sync(&bp->sp_task);
++ cancel_delayed_work_sync(&bp->fw_reset_task);
++ }
+ }
+
+ static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr)
+@@ -11386,6 +11391,7 @@ static void bnxt_remove_one(struct pci_dev *pdev)
+ unregister_netdev(dev);
+ bnxt_dl_unregister(bp);
+ bnxt_shutdown_tc(bp);
++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
+ bnxt_cancel_sp_work(bp);
+ bp->sp_event = 0;
+
+--
+2.25.1
+
--- /dev/null
+From 274eaf324ddef94d1162684fc563174cb55535fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 21:14:40 +0530
+Subject: cxgb4: fix thermal zone device registration
+
+From: Potnuri Bharat Teja <bharat@chelsio.com>
+
+[ Upstream commit 6b6382a857d824c0866056d5736bbcb597a922ed ]
+
+When multiple adapters are present in the system, pci hot-removing second
+adapter leads to the following warning as both the adapters registered
+thermal zone device with same thermal zone name/type.
+Therefore, use unique thermal zone name during thermal zone device
+initialization. Also mark thermal zone dev NULL once unregistered.
+
+[ 414.370143] ------------[ cut here ]------------
+[ 414.370944] sysfs group 'power' not found for kobject 'hwmon0'
+[ 414.371747] WARNING: CPU: 9 PID: 2661 at fs/sysfs/group.c:281
+ sysfs_remove_group+0x76/0x80
+[ 414.382550] CPU: 9 PID: 2661 Comm: bash Not tainted 5.8.0-rc6+ #33
+[ 414.383593] Hardware name: Supermicro X10SRA-F/X10SRA-F, BIOS 2.0a 06/23/2016
+[ 414.384669] RIP: 0010:sysfs_remove_group+0x76/0x80
+[ 414.385738] Code: 48 89 df 5b 5d 41 5c e9 d8 b5 ff ff 48 89 df e8 60 b0 ff ff
+ eb cb 49 8b 14 24 48 8b 75 00 48 c7 c7 90 ae 13 bb e8 6a 27 d0 ff <0f> 0b 5b 5d
+ 41 5c c3 0f 1f 00 0f 1f 44 00 00 48 85 f6 74 31 41 54
+[ 414.388404] RSP: 0018:ffffa22bc080fcb0 EFLAGS: 00010286
+[ 414.389638] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 414.390829] RDX: 0000000000000001 RSI: ffff8ee2de3e9510 RDI: ffff8ee2de3e9510
+[ 414.392064] RBP: ffffffffbaef2ee0 R08: 0000000000000000 R09: 0000000000000000
+[ 414.393224] R10: 0000000000000000 R11: 000000002b30006c R12: ffff8ee260720008
+[ 414.394388] R13: ffff8ee25e0a40e8 R14: ffffa22bc080ff08 R15: ffff8ee2c3be5020
+[ 414.395661] FS: 00007fd2a7171740(0000) GS:ffff8ee2de200000(0000)
+ knlGS:0000000000000000
+[ 414.396825] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 414.398011] CR2: 00007f178ffe5020 CR3: 000000084c5cc003 CR4: 00000000003606e0
+[ 414.399172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 414.400352] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 414.401473] Call Trace:
+[ 414.402685] device_del+0x89/0x400
+[ 414.403819] device_unregister+0x16/0x60
+[ 414.405024] hwmon_device_unregister+0x44/0xa0
+[ 414.406112] thermal_remove_hwmon_sysfs+0x196/0x200
+[ 414.407256] thermal_zone_device_unregister+0x1b5/0x1f0
+[ 414.408415] cxgb4_thermal_remove+0x3c/0x4f [cxgb4]
+[ 414.409668] remove_one+0x212/0x290 [cxgb4]
+[ 414.410875] pci_device_remove+0x36/0xb0
+[ 414.412004] device_release_driver_internal+0xe2/0x1c0
+[ 414.413276] pci_stop_bus_device+0x64/0x90
+[ 414.414433] pci_stop_and_remove_bus_device_locked+0x16/0x30
+[ 414.415609] remove_store+0x75/0x90
+[ 414.416790] kernfs_fop_write+0x114/0x1b0
+[ 414.417930] vfs_write+0xcf/0x210
+[ 414.419059] ksys_write+0xa7/0xe0
+[ 414.420120] do_syscall_64+0x4c/0xa0
+[ 414.421278] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 414.422335] RIP: 0033:0x7fd2a686afd0
+[ 414.423396] Code: Bad RIP value.
+[ 414.424549] RSP: 002b:00007fffc1446148 EFLAGS: 00000246 ORIG_RAX:
+ 0000000000000001
+[ 414.425638] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd2a686afd0
+[ 414.426830] RDX: 0000000000000002 RSI: 00007fd2a7196000 RDI: 0000000000000001
+[ 414.427927] RBP: 00007fd2a7196000 R08: 000000000000000a R09: 00007fd2a7171740
+[ 414.428923] R10: 00007fd2a7171740 R11: 0000000000000246 R12: 00007fd2a6b43400
+[ 414.430082] R13: 0000000000000002 R14: 0000000000000001 R15: 0000000000000000
+[ 414.431027] irq event stamp: 76300
+[ 414.435678] ---[ end trace 13865acb4d5ab00f ]---
+
+Fixes: b18719157762 ("cxgb4: Add thermal zone support")
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
+index 3de8a5e83b6c7..d7fefdbf3e575 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
+@@ -62,6 +62,7 @@ static struct thermal_zone_device_ops cxgb4_thermal_ops = {
+ int cxgb4_thermal_init(struct adapter *adap)
+ {
+ struct ch_thermal *ch_thermal = &adap->ch_thermal;
++ char ch_tz_name[THERMAL_NAME_LENGTH];
+ int num_trip = CXGB4_NUM_TRIPS;
+ u32 param, val;
+ int ret;
+@@ -82,7 +83,8 @@ int cxgb4_thermal_init(struct adapter *adap)
+ ch_thermal->trip_type = THERMAL_TRIP_CRITICAL;
+ }
+
+- ch_thermal->tzdev = thermal_zone_device_register("cxgb4", num_trip,
++ snprintf(ch_tz_name, sizeof(ch_tz_name), "cxgb4_%s", adap->name);
++ ch_thermal->tzdev = thermal_zone_device_register(ch_tz_name, num_trip,
+ 0, adap,
+ &cxgb4_thermal_ops,
+ NULL, 0, 0);
+@@ -97,7 +99,9 @@ int cxgb4_thermal_init(struct adapter *adap)
+
+ int cxgb4_thermal_remove(struct adapter *adap)
+ {
+- if (adap->ch_thermal.tzdev)
++ if (adap->ch_thermal.tzdev) {
+ thermal_zone_device_unregister(adap->ch_thermal.tzdev);
++ adap->ch_thermal.tzdev = NULL;
++ }
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6c79449f7f37bab2a0f933a0f65056b5057c1f79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 19:57:26 +0800
+Subject: dmaengine: at_hdmac: check return value of of_find_device_by_node()
+ in at_dma_xlate()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 0cef8e2c5a07d482ec907249dbd6687e8697677f ]
+
+The reurn value of of_find_device_by_node() is not checked, thus null
+pointer dereference will be triggered if of_find_device_by_node()
+failed.
+
+Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20200817115728.1706719-2-yukuai3@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_hdmac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
+index 672c73b4a2d4f..ff366c2f58c18 100644
+--- a/drivers/dma/at_hdmac.c
++++ b/drivers/dma/at_hdmac.c
+@@ -1667,6 +1667,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec,
+ return NULL;
+
+ dmac_pdev = of_find_device_by_node(dma_spec->np);
++ if (!dmac_pdev)
++ return NULL;
+
+ dma_cap_zero(mask);
+ dma_cap_set(DMA_SLAVE, mask);
+--
+2.25.1
+
--- /dev/null
+From 591c6e8092d765de08ac2f051f3a1a0f9dd78697 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 13:49:28 +0300
+Subject: dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+[ Upstream commit 5b2aa9f918f6837ae943557f8cec02c34fcf80e7 ]
+
+of_dma_xlate callback can return ERR_PTR as well NULL in case of failure.
+
+If error code is returned (not NULL) then the route should be released and
+the router should not be registered for the channel.
+
+Fixes: 56f13c0d9524c ("dmaengine: of_dma: Support for DMA routers")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/20200806104928.25975-1-peter.ujfalusi@ti.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/of-dma.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c
+index c2d779daa4b51..4bbf4172b9bf9 100644
+--- a/drivers/dma/of-dma.c
++++ b/drivers/dma/of-dma.c
+@@ -69,12 +69,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec,
+ return NULL;
+
+ chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target);
+- if (chan) {
+- chan->router = ofdma->dma_router;
+- chan->route_data = route_data;
+- } else {
++ if (IS_ERR_OR_NULL(chan)) {
+ ofdma->dma_router->route_free(ofdma->dma_router->dev,
+ route_data);
++ } else {
++ chan->router = ofdma->dma_router;
++ chan->route_data = route_data;
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From ee89586e4e150d93d2288df00148ddbaf67895ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 08:46:17 +0200
+Subject: dmaengine: pl330: Fix burst length if burst size is smaller than bus
+ width
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 0661cef675d37e2c4b66a996389ebeae8568e49e ]
+
+Move the burst len fixup after setting the generic value for it. This
+finally enables the fixup introduced by commit 137bd11090d8 ("dmaengine:
+pl330: Align DMA memcpy operations to MFIFO width"), which otherwise was
+overwritten by the generic value.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 137bd11090d8 ("dmaengine: pl330: Align DMA memcpy operations to MFIFO width")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20200825064617.16193-1-m.szyprowski@samsung.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index 6cce9ef61b294..cd81d10974a29 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -2788,6 +2788,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
+ while (burst != (1 << desc->rqcfg.brst_size))
+ desc->rqcfg.brst_size++;
+
++ desc->rqcfg.brst_len = get_burst_len(desc, len);
+ /*
+ * If burst size is smaller than bus width then make sure we only
+ * transfer one at a time to avoid a burst stradling an MFIFO entry.
+@@ -2795,7 +2796,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
+ if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width)
+ desc->rqcfg.brst_len = 1;
+
+- desc->rqcfg.brst_len = get_burst_len(desc, len);
+ desc->bytes_requested = len;
+
+ desc->txd.flags = flags;
+--
+2.25.1
+
--- /dev/null
+From 7abad39f34f506b0e75391e3c3dc430ec97bf3d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:33:48 +0800
+Subject: drm/radeon: Prefer lower feedback dividers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit fc8c70526bd30733ea8667adb8b8ffebea30a8ed ]
+
+Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+fixed screen flicker for HP Compaq nx9420 but breaks other laptops like
+Asus X50SL.
+
+Turns out we also need to favor lower feedback dividers.
+
+Users confirmed this change fixes the regression and doesn't regress the
+original fix.
+
+Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+BugLink: https://bugs.launchpad.net/bugs/1791312
+BugLink: https://bugs.launchpad.net/bugs/1861554
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index f9f74150d0d73..e7c4e06bc7d4f 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -932,7 +932,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div,
+
+ /* get matching reference and feedback divider */
+ *ref_div = min(max(den/post_div, 1u), ref_div_max);
+- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den);
++ *fb_div = max(nom * *ref_div * post_div / den, 1u);
+
+ /* limit fb divider to its maximum */
+ if (*fb_div > fb_div_max) {
+--
+2.25.1
+
--- /dev/null
+From 16d858d142afa3a7951940c47c454f7c9076b75f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 11:30:48 -0400
+Subject: fix regression in "epoll: Keep a reference on files added to the
+ check list"
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ]
+
+epoll_loop_check_proc() can run into a file already committed to destruction;
+we can't grab a reference on those and don't need to add them to the set for
+reverse path check anyway.
+
+Tested-by: Marc Zyngier <maz@kernel.org>
+Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventpoll.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 0d9b1e2b9da72..ae1d32344f7ac 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1992,9 +1992,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
+ * during ep_insert().
+ */
+ if (list_empty(&epi->ffd.file->f_tfile_llink)) {
+- get_file(epi->ffd.file);
+- list_add(&epi->ffd.file->f_tfile_llink,
+- &tfile_check_list);
++ if (get_file_rcu(epi->ffd.file))
++ list_add(&epi->ffd.file->f_tfile_llink,
++ &tfile_check_list);
+ }
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 07a2da868915dcf7af9996412a585b795f50febc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 14:59:40 +0200
+Subject: gtp: add GTPA_LINK info to msg sent to userspace
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit b274e47d9e3f4dcd4ad4028a316ec22dc4533ac7 ]
+
+During a dump, this attribute is essential, it enables the userspace to
+know on which interface the context is linked to.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Tested-by: Gabriel Ganne <gabriel.ganne@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index d89ec99abcd63..634bdea38ecb3 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1182,6 +1182,7 @@ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq,
+ goto nlmsg_failure;
+
+ if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) ||
++ nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) ||
+ nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) ||
+ nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr))
+ goto nla_put_failure;
+--
+2.25.1
+
--- /dev/null
+From b56716891fa7a4440c98f403346e4ea8a669fec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 16:36:19 -0700
+Subject: include/linux/log2.h: add missing () around n in roundup_pow_of_two()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 428fc0aff4e59399ec719ffcc1f7a5d29a4ee476 ]
+
+Otherwise gcc generates warnings if the expression is complicated.
+
+Fixes: 312a0c170945 ("[PATCH] LOG2: Alter roundup_pow_of_two() so that it can use a ilog2() on a constant")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lkml.kernel.org/r/0-v1-8a2697e3c003+41165-log_brackets_jgg@nvidia.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/log2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/log2.h b/include/linux/log2.h
+index 83a4a3ca3e8a7..c619ec6eff4ae 100644
+--- a/include/linux/log2.h
++++ b/include/linux/log2.h
+@@ -173,7 +173,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
+ #define roundup_pow_of_two(n) \
+ ( \
+ __builtin_constant_p(n) ? ( \
+- (n == 1) ? 1 : \
++ ((n) == 1) ? 1 : \
+ (1UL << (ilog2((n) - 1) + 1)) \
+ ) : \
+ __roundup_pow_of_two(n) \
+--
+2.25.1
+
--- /dev/null
+From 58471b61c79069be39d3ecb727cdcb2de96ef3c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 09:38:21 +0000
+Subject: iommu/amd: Restore IRTE.RemapEn bit after programming IRTE
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+[ Upstream commit 26e495f341075c09023ba16dee9a7f37a021e745 ]
+
+Currently, the RemapEn (valid) bit is accidentally cleared when
+programming IRTE w/ guestMode=0. It should be restored to
+the prior state.
+
+Fixes: b9fc6b56f478 ("iommu/amd: Implements irq_set_vcpu_affinity() hook to setup vapic mode for pass-through devices")
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
+Link: https://lore.kernel.org/r/20200903093822.52012-2-suravee.suthikulpanit@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 3a7094f4813f2..cdafc652d9d1a 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -4431,6 +4431,7 @@ int amd_iommu_deactivate_guest_mode(void *data)
+ struct amd_ir_data *ir_data = (struct amd_ir_data *)data;
+ struct irte_ga *entry = (struct irte_ga *) ir_data->entry;
+ struct irq_cfg *cfg = ir_data->cfg;
++ u64 valid = entry->lo.fields_remap.valid;
+
+ if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) ||
+ !entry || !entry->lo.fields_vapic.guest_mode)
+@@ -4439,6 +4440,7 @@ int amd_iommu_deactivate_guest_mode(void *data)
+ entry->lo.val = 0;
+ entry->hi.val = 0;
+
++ entry->lo.fields_remap.valid = valid;
+ entry->lo.fields_remap.dm = apic->irq_dest_mode;
+ entry->lo.fields_remap.int_type = apic->irq_delivery_mode;
+ entry->hi.fields.vector = cfg->vector;
+--
+2.25.1
+
--- /dev/null
+From 525179270949a2df40e0a8efbc86ca3d6c907b0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 08:06:15 +0800
+Subject: iommu/vt-d: Serialize IOMMU GCMD register modifications
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+[ Upstream commit 6e4e9ec65078093165463c13d4eb92b3e8d7b2e8 ]
+
+The VT-d spec requires (10.4.4 Global Command Register, GCMD_REG General
+Description) that:
+
+If multiple control fields in this register need to be modified, software
+must serialize the modifications through multiple writes to this register.
+
+However, in irq_remapping.c, modifications of IRE and CFI are done in one
+write. We need to do two separate writes with STS checking after each. It
+also checks the status register before writing command register to avoid
+unnecessary register write.
+
+Fixes: af8d102f999a4 ("x86/intel/irq_remapping: Clean up x2apic opt-out security warning mess")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: Kevin Tian <kevin.tian@intel.com>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Link: https://lore.kernel.org/r/20200828000615.8281-1-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel_irq_remapping.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
+index 6bfb283e6f287..f697f3a1d46bc 100644
+--- a/drivers/iommu/intel_irq_remapping.c
++++ b/drivers/iommu/intel_irq_remapping.c
+@@ -507,12 +507,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu)
+
+ /* Enable interrupt-remapping */
+ iommu->gcmd |= DMA_GCMD_IRE;
+- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */
+ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
+-
+ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
+ readl, (sts & DMA_GSTS_IRES), sts);
+
++ /* Block compatibility-format MSIs */
++ if (sts & DMA_GSTS_CFIS) {
++ iommu->gcmd &= ~DMA_GCMD_CFI;
++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
++ readl, !(sts & DMA_GSTS_CFIS), sts);
++ }
++
+ /*
+ * With CFI clear in the Global Command register, we should be
+ * protected from dangerous (i.e. compatibility) interrupts
+--
+2.25.1
+
--- /dev/null
+From 5cf463fafc7a0671dfdca5902a5ec9224f6c1e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 21:18:33 +0200
+Subject: media: cedrus: Add missing v4l2_ctrl_request_hdl_put()
+
+From: Ezequiel Garcia <ezequiel@collabora.com>
+
+[ Upstream commit b30063976f29fc221a99d18d37d22ca035068aa9 ]
+
+The check for a required control in the request was missing a call to
+v4l2_ctrl_request_hdl_put() in the error path. Fix it.
+
+Fixes: 50e761516f2b8c ("media: platform: Add Cedrus VPU decoder driver")
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/sunxi/cedrus/cedrus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
+index 3439f6ad63380..e80e82a276e93 100644
+--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
++++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
+@@ -159,6 +159,7 @@ static int cedrus_request_validate(struct media_request *req)
+ struct v4l2_ctrl *ctrl_test;
+ unsigned int count;
+ unsigned int i;
++ int ret = 0;
+
+ list_for_each_entry(obj, &req->objects, list) {
+ struct vb2_buffer *vb;
+@@ -203,12 +204,16 @@ static int cedrus_request_validate(struct media_request *req)
+ if (!ctrl_test) {
+ v4l2_info(&ctx->dev->v4l2_dev,
+ "Missing required codec control\n");
+- return -ENOENT;
++ ret = -ENOENT;
++ break;
+ }
+ }
+
+ v4l2_ctrl_request_hdl_put(hdl);
+
++ if (ret)
++ return ret;
++
+ return vb2_request_validate(req);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 09a0a49d2b85998ff89ff937ba98711adbafb02d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 12:30:33 +0200
+Subject: media: vicodec: add missing v4l2_ctrl_request_hdl_put()
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 2e7c8fb8942773f412fe12f3b63e8bb92c18ab3f ]
+
+The check for a required control in the request was missing a call to
+v4l2_ctrl_request_hdl_put(), so the control request object was never
+released.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 997deb811bf5 ("media: vicodec: Add support for stateless decoder.")
+Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vicodec/vicodec-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
+index 84ec36156f73f..c77281d43f892 100644
+--- a/drivers/media/platform/vicodec/vicodec-core.c
++++ b/drivers/media/platform/vicodec/vicodec-core.c
+@@ -2052,6 +2052,7 @@ static int vicodec_request_validate(struct media_request *req)
+ }
+ ctrl = v4l2_ctrl_request_hdl_ctrl_find(hdl,
+ vicodec_ctrl_stateless_state.id);
++ v4l2_ctrl_request_hdl_put(hdl);
+ if (!ctrl) {
+ v4l2_info(&ctx->dev->v4l2_dev,
+ "Missing required codec control\n");
+--
+2.25.1
+
--- /dev/null
+From 362a3da876cee4d9b8ef0206eb4412297dbee21f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 14:53:09 +0800
+Subject: MIPS: add missing MSACSR and upper MSA initialization
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit bb06748207cfb1502d11b90325eba7f8c44c9f02 ]
+
+In cc97ab235f3f ("MIPS: Simplify FP context initialization), init_fp_ctx
+just initialize the fp/msa context, and own_fp_inatomic just restore
+FCSR and 64bit FP regs from it, but miss MSACSR and upper MSA regs for
+MSA, so MSACSR and MSA upper regs's value from previous task on current
+cpu can leak into current task and cause unpredictable behavior when MSA
+context not initialized.
+
+Fixes: cc97ab235f3f ("MIPS: Simplify FP context initialization")
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/traps.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
+index 6a25364600266..8282d0feb0b21 100644
+--- a/arch/mips/kernel/traps.c
++++ b/arch/mips/kernel/traps.c
+@@ -1240,6 +1240,18 @@ static int enable_restore_fp_context(int msa)
+ err = own_fpu_inatomic(1);
+ if (msa && !err) {
+ enable_msa();
++ /*
++ * with MSA enabled, userspace can see MSACSR
++ * and MSA regs, but the values in them are from
++ * other task before current task, restore them
++ * from saved fp/msa context
++ */
++ write_msa_csr(current->thread.fpu.msacsr);
++ /*
++ * own_fpu_inatomic(1) just restore low 64bit,
++ * fix the high 64bit
++ */
++ init_msa_upper();
+ set_thread_flag(TIF_USEDMSA);
+ set_thread_flag(TIF_MSA_CTX_LIVE);
+ }
+--
+2.25.1
+
--- /dev/null
+From 29ccdc81271b2c710a7899b5d35ac1bdd146b2c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 11:26:45 -0700
+Subject: MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit e14f633b66902615cf7faa5d032b45ab8b6fb158 ]
+
+The initialization done by bmips_cpu_setup() typically affects both
+threads of a given core, on 7435 which supports 2 cores and 2 threads,
+logical CPU number 2 and 3 would not run this initialization.
+
+Fixes: 738a3f79027b ("MIPS: BMIPS: Add early CPU initialization code")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/smp-bmips.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c
+index 712c15de6ab9f..6b304acf506fe 100644
+--- a/arch/mips/kernel/smp-bmips.c
++++ b/arch/mips/kernel/smp-bmips.c
+@@ -241,6 +241,8 @@ static int bmips_boot_secondary(int cpu, struct task_struct *idle)
+ */
+ static void bmips_init_secondary(void)
+ {
++ bmips_cpu_setup();
++
+ switch (current_cpu_type()) {
+ case CPU_BMIPS4350:
+ case CPU_BMIPS4380:
+--
+2.25.1
+
--- /dev/null
+From 23b81d27f2d18b0dbe9d8bc135f7bce318d1e105 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 11:26:44 -0700
+Subject: MIPS: mm: BMIPS5000 has inclusive physical caches
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit dbfc95f98f0158958d1f1e6bf06d74be38dbd821 ]
+
+When the BMIPS generic cpu-feature-overrides.h file was introduced,
+cpu_has_inclusive_caches/MIPS_CPU_INCLUSIVE_CACHES was not set for
+BMIPS5000 CPUs. Correct this when we have initialized the MIPS secondary
+cache successfully.
+
+Fixes: f337967d6d87 ("MIPS: BMIPS: Add cpu-feature-overrides.h")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/mm/c-r4k.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
+index 89b9c851d8227..c4785a456dedc 100644
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -1676,7 +1676,11 @@ static void setup_scache(void)
+ printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n",
+ scache_size >> 10,
+ way_string[c->scache.ways], c->scache.linesz);
++
++ if (current_cpu_type() == CPU_BMIPS5000)
++ c->options |= MIPS_CPU_INCLUSIVE_CACHES;
+ }
++
+ #else
+ if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT))
+ panic("Dunno how to handle MIPS32 / MIPS64 second level cache");
+--
+2.25.1
+
--- /dev/null
+From 84d545d65bed3f71c56ad996cd68c29b36c45a7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 13:00:19 -0600
+Subject: mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040
+
+From: Raul E Rangel <rrangel@chromium.org>
+
+[ Upstream commit 61d7437ed13906984c44697970ee792ac6271a31 ]
+
+The AMD eMMC Controller can only use the tuned clock while in HS200 and
+HS400 mode. If we switch to a different mode, we need to disable the
+tuned clock. If we have previously performed tuning and switch back to
+HS200 or HS400, we can re-enable the tuned clock.
+
+Previously the tuned clock was not getting disabled when switching to
+DDR52 which is part of the HS400 tuning sequence.
+
+Fixes: 34597a3f60b1 ("mmc: sdhci-acpi: Add support for ACPI HID of AMD Controller with HS400")
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20200819125832.v2.1.Ie8f0689ec9f449203328b37409d1cf06b565f331@changeid
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-acpi.c | 67 +++++++++++++++++++++++++++++------
+ 1 file changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c
+index 01fc437ed9659..5581a5c86fce3 100644
+--- a/drivers/mmc/host/sdhci-acpi.c
++++ b/drivers/mmc/host/sdhci-acpi.c
+@@ -532,6 +532,11 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_qcom_sd = {
+ .caps = MMC_CAP_NONREMOVABLE,
+ };
+
++struct amd_sdhci_host {
++ bool tuned_clock;
++ bool dll_enabled;
++};
++
+ /* AMD sdhci reset dll register. */
+ #define SDHCI_AMD_RESET_DLL_REGISTER 0x908
+
+@@ -551,26 +556,66 @@ static void sdhci_acpi_amd_hs400_dll(struct sdhci_host *host)
+ }
+
+ /*
+- * For AMD Platform it is required to disable the tuning
+- * bit first controller to bring to HS Mode from HS200
+- * mode, later enable to tune to HS400 mode.
++ * The initialization sequence for HS400 is:
++ * HS->HS200->Perform Tuning->HS->HS400
++ *
++ * The re-tuning sequence is:
++ * HS400->DDR52->HS->HS200->Perform Tuning->HS->HS400
++ *
++ * The AMD eMMC Controller can only use the tuned clock while in HS200 and HS400
++ * mode. If we switch to a different mode, we need to disable the tuned clock.
++ * If we have previously performed tuning and switch back to HS200 or
++ * HS400, we can re-enable the tuned clock.
++ *
+ */
+ static void amd_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
+ {
+ struct sdhci_host *host = mmc_priv(mmc);
++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host);
++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host);
+ unsigned int old_timing = host->timing;
++ u16 val;
+
+ sdhci_set_ios(mmc, ios);
+- if (old_timing == MMC_TIMING_MMC_HS200 &&
+- ios->timing == MMC_TIMING_MMC_HS)
+- sdhci_writew(host, 0x9, SDHCI_HOST_CONTROL2);
+- if (old_timing != MMC_TIMING_MMC_HS400 &&
+- ios->timing == MMC_TIMING_MMC_HS400) {
+- sdhci_writew(host, 0x80, SDHCI_HOST_CONTROL2);
+- sdhci_acpi_amd_hs400_dll(host);
++
++ if (old_timing != host->timing && amd_host->tuned_clock) {
++ if (host->timing == MMC_TIMING_MMC_HS400 ||
++ host->timing == MMC_TIMING_MMC_HS200) {
++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2);
++ val |= SDHCI_CTRL_TUNED_CLK;
++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2);
++ } else {
++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2);
++ val &= ~SDHCI_CTRL_TUNED_CLK;
++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2);
++ }
++
++ /* DLL is only required for HS400 */
++ if (host->timing == MMC_TIMING_MMC_HS400 &&
++ !amd_host->dll_enabled) {
++ sdhci_acpi_amd_hs400_dll(host);
++ amd_host->dll_enabled = true;
++ }
+ }
+ }
+
++static int amd_sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode)
++{
++ int err;
++ struct sdhci_host *host = mmc_priv(mmc);
++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host);
++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host);
++
++ amd_host->tuned_clock = false;
++
++ err = sdhci_execute_tuning(mmc, opcode);
++
++ if (!err && !host->tuning_err)
++ amd_host->tuned_clock = true;
++
++ return err;
++}
++
+ static const struct sdhci_ops sdhci_acpi_ops_amd = {
+ .set_clock = sdhci_set_clock,
+ .set_bus_width = sdhci_set_bus_width,
+@@ -598,6 +643,7 @@ static int sdhci_acpi_emmc_amd_probe_slot(struct platform_device *pdev,
+
+ host->mmc_host_ops.select_drive_strength = amd_select_drive_strength;
+ host->mmc_host_ops.set_ios = amd_set_ios;
++ host->mmc_host_ops.execute_tuning = amd_sdhci_execute_tuning;
+ return 0;
+ }
+
+@@ -609,6 +655,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_amd_emmc = {
+ SDHCI_QUIRK_32BIT_ADMA_SIZE,
+ .quirks2 = SDHCI_QUIRK2_BROKEN_64_BIT_DMA,
+ .probe_slot = sdhci_acpi_emmc_amd_probe_slot,
++ .priv_size = sizeof(struct amd_sdhci_host),
+ };
+
+ struct sdhci_acpi_uid_slot {
+--
+2.25.1
+
--- /dev/null
+From b57f9cae576270e5e409af7c133840260cebddee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 16:56:47 +0800
+Subject: net: arc_emac: Fix memleak in arc_mdio_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit e2d79cd8875fa8c3cc7defa98a8cc99a1ed0c62f ]
+
+When devm_gpiod_get_optional() fails, bus should be
+freed just like when of_mdiobus_register() fails.
+
+Fixes: 1bddd96cba03d ("net: arc_emac: support the phy reset for emac driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/arc/emac_mdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c
+index 0187dbf3b87df..54cdafdd067db 100644
+--- a/drivers/net/ethernet/arc/emac_mdio.c
++++ b/drivers/net/ethernet/arc/emac_mdio.c
+@@ -153,6 +153,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv)
+ if (IS_ERR(data->reset_gpio)) {
+ error = PTR_ERR(data->reset_gpio);
+ dev_err(priv->dev, "Failed to request gpio: %d\n", error);
++ mdiobus_free(bus);
+ return error;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From cdac2796825e99a9b4ff8e9c81363b0c19d2ebc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 17:15:47 +0800
+Subject: net: dsa: mt7530: fix advertising unsupported 1000baseT_Half
+
+From: Landen Chao <landen.chao@mediatek.com>
+
+[ Upstream commit f272285f6abb9178d029375599626baf3d5f4e8a ]
+
+Remove 1000baseT_Half to advertise correct hardware capability in
+phylink_validate() callback function.
+
+Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5")
+Signed-off-by: Landen Chao <landen.chao@mediatek.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index dc9a3bb241149..00d680cb44418 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1456,7 +1456,7 @@ unsupported:
+ phylink_set(mask, 100baseT_Full);
+
+ if (state->interface != PHY_INTERFACE_MODE_MII) {
+- phylink_set(mask, 1000baseT_Half);
++ /* This switch only supports 1G full-duplex. */
+ phylink_set(mask, 1000baseT_Full);
+ if (port == 5)
+ phylink_set(mask, 1000baseX_Full);
+--
+2.25.1
+
--- /dev/null
+From e93d143f4f8ebe760b5fa97f41f02a6d0e5e6def Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Aug 2020 22:37:09 +0800
+Subject: net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
+
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+
+[ Upstream commit cbedcb044e9cc4e14bbe6658111224bb923094f4 ]
+
+On machines with much memory (> 2 TByte) and log_mtts_per_seg == 0, a
+max_order of 31 will be passed to mlx_buddy_init(), which results in
+s = BITS_TO_LONGS(1 << 31) becoming a negative value, leading to
+kvmalloc_array() failure when it is converted to size_t.
+
+ mlx4_core 0000:b1:00.0: Failed to initialize memory region table, aborting
+ mlx4_core: probe of 0000:b1:00.0 failed with error -12
+
+Fix this issue by changing the left shifting operand from a signed literal to
+an unsigned one.
+
+Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c
+index 1a11bc0e16123..cfa0bba3940fb 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/mr.c
++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c
+@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order)
+ goto err_out;
+
+ for (i = 0; i <= buddy->max_order; ++i) {
+- s = BITS_TO_LONGS(1 << (buddy->max_order - i));
++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i));
+ buddy->bits[i] = kvmalloc_array(s, sizeof(long), GFP_KERNEL | __GFP_ZERO);
+ if (!buddy->bits[i])
+ goto err_out_free;
+--
+2.25.1
+
--- /dev/null
+From 0679772e99dc3c99b023b090718c4b7d4449fc95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 11:10:52 -0400
+Subject: net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host
+ port
+
+From: Murali Karicheri <m-karicheri2@ti.com>
+
+[ Upstream commit 99d469fc64d06f0c81c0fe2a1c01645a67e0cbf0 ]
+
+To flush the vid + mc entries from ALE, which is required when a VLAN
+interface is removed, driver needs to call cpsw_ale_flush_multicast()
+with ALE_PORT_HOST for port mask as these entries are added only for
+host port. Without this, these entries remain in the ALE table even
+after removing the VLAN interface. cpsw_ale_flush_multicast() calls
+cpsw_ale_flush_mcast which expects a port mask to do the job.
+
+Fixes: 15180eca569b ("net: ethernet: ti: cpsw: fix vlan mcast")
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
+index 39df8c8feb6ce..e7b4d93e3f288 100644
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -2209,7 +2209,7 @@ static int cpsw_ndo_vlan_rx_kill_vid(struct net_device *ndev,
+ HOST_PORT_NUM, ALE_VLAN, vid);
+ ret |= cpsw_ale_del_mcast(cpsw->ale, priv->ndev->broadcast,
+ 0, ALE_VLAN, vid);
+- ret |= cpsw_ale_flush_multicast(cpsw->ale, 0, vid);
++ ret |= cpsw_ale_flush_multicast(cpsw->ale, ALE_PORT_HOST, vid);
+ err:
+ pm_runtime_put(cpsw->dev);
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From a0ab2be9e27134b07a4ad96cad663b8cebd572e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:56:31 +0300
+Subject: net: gemini: Fix another missing clk_disable_unprepare() in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit eb0f3bc463d59d86402f19c59aa44e82dc3fab6d ]
+
+We recently added some calls to clk_disable_unprepare() but we missed
+the last error path if register_netdev() fails.
+
+I made a couple cleanups so we avoid mistakes like this in the future.
+First I reversed the "if (!ret)" condition and pulled the code in one
+indent level. Also, the "port->netdev = NULL;" is not required because
+"port" isn't used again outside this function so I deleted that line.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 34 +++++++++++++--------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index 28d4c54505f9a..c9fb1ec625d8b 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2445,8 +2445,8 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ port->reset = devm_reset_control_get_exclusive(dev, NULL);
+ if (IS_ERR(port->reset)) {
+ dev_err(dev, "no reset\n");
+- clk_disable_unprepare(port->pclk);
+- return PTR_ERR(port->reset);
++ ret = PTR_ERR(port->reset);
++ goto unprepare;
+ }
+ reset_control_reset(port->reset);
+ usleep_range(100, 500);
+@@ -2501,25 +2501,25 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ IRQF_SHARED,
+ port_names[port->id],
+ port);
+- if (ret) {
+- clk_disable_unprepare(port->pclk);
+- return ret;
+- }
++ if (ret)
++ goto unprepare;
+
+ ret = register_netdev(netdev);
+- if (!ret) {
++ if (ret)
++ goto unprepare;
++
++ netdev_info(netdev,
++ "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
++ port->irq, &dmares->start,
++ &gmacres->start);
++ ret = gmac_setup_phy(netdev);
++ if (ret)
+ netdev_info(netdev,
+- "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
+- port->irq, &dmares->start,
+- &gmacres->start);
+- ret = gmac_setup_phy(netdev);
+- if (ret)
+- netdev_info(netdev,
+- "PHY init failed, deferring to ifup time\n");
+- return 0;
+- }
++ "PHY init failed, deferring to ifup time\n");
++ return 0;
+
+- port->netdev = NULL;
++unprepare:
++ clk_disable_unprepare(port->pclk);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From ba3e1cf7f4900e35ee46408d3caed760b8193a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 13:44:42 +0800
+Subject: net: hns: Fix memleak in hns_nic_dev_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 100e3345c6e719d2291e1efd5de311cc24bb9c0b ]
+
+hns_nic_dev_probe allocates ndev, but not free it on
+two error handling paths, which may lead to memleak.
+
+Fixes: 63434888aaf1b ("net: hns: net: hns: enet adds support of acpi")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+index eb69e5c81a4d0..6d5d53cfc7ab4 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -2296,8 +2296,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
+ priv->enet_ver = AE_VERSION_1;
+ else if (acpi_dev_found(hns_enet_acpi_match[1].id))
+ priv->enet_ver = AE_VERSION_2;
+- else
+- return -ENXIO;
++ else {
++ ret = -ENXIO;
++ goto out_read_prop_fail;
++ }
+
+ /* try to find port-idx-in-ae first */
+ ret = acpi_node_get_property_reference(dev->fwnode,
+@@ -2313,7 +2315,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
+ priv->fwnode = args.fwnode;
+ } else {
+ dev_err(dev, "cannot read cfg data from OF or acpi\n");
+- return -ENXIO;
++ ret = -ENXIO;
++ goto out_read_prop_fail;
+ }
+
+ ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id);
+--
+2.25.1
+
--- /dev/null
+From b97a2c6bc35ef6de875a24125dc4ae8e8e7b95eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 21:05:28 -0700
+Subject: net/packet: fix overflow in tpacket_rcv
+
+From: Or Cohen <orcohen@paloaltonetworks.com>
+
+[ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ]
+
+Using tp_reserve to calculate netoff can overflow as
+tp_reserve is unsigned int and netoff is unsigned short.
+
+This may lead to macoff receving a smaller value then
+sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
+is set, an out-of-bounds write will occur when
+calling virtio_net_hdr_from_skb.
+
+The bug is fixed by converting netoff to unsigned int
+and checking if it exceeds USHRT_MAX.
+
+This addresses CVE-2020-14386
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 7735340c892eb..fbc2d4dfddf0e 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2169,7 +2169,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ int skb_len = skb->len;
+ unsigned int snaplen, res;
+ unsigned long status = TP_STATUS_USER;
+- unsigned short macoff, netoff, hdrlen;
++ unsigned short macoff, hdrlen;
++ unsigned int netoff;
+ struct sk_buff *copy_skb = NULL;
+ struct timespec ts;
+ __u32 ts_status;
+@@ -2238,6 +2239,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ }
+ macoff = netoff - maclen;
+ }
++ if (netoff > USHRT_MAX) {
++ atomic_inc(&po->tp_drops);
++ goto drop_n_restore;
++ }
+ if (po->tp_version <= TPACKET_V2) {
+ if (macoff + snaplen > po->rx_ring.frame_size) {
+ if (po->copy_thresh &&
+--
+2.25.1
+
--- /dev/null
+From 52882eeb348febb8bde62f75589f3959772d6606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 13:58:31 +0800
+Subject: net: systemport: Fix memleak in bcm_sysport_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 7ef1fc57301f3cef7201497aa27e89ccb91737fe ]
+
+When devm_kcalloc() fails, dev should be freed just
+like what we've done in the subsequent error paths.
+
+Fixes: 7b78be48a8eb6 ("net: systemport: Dynamically allocate number of TX rings")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index 4dfdb5a58025b..71eb8914e620b 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2453,8 +2453,10 @@ static int bcm_sysport_probe(struct platform_device *pdev)
+ priv->tx_rings = devm_kcalloc(&pdev->dev, txq,
+ sizeof(struct bcm_sysport_tx_ring),
+ GFP_KERNEL);
+- if (!priv->tx_rings)
+- return -ENOMEM;
++ if (!priv->tx_rings) {
++ ret = -ENOMEM;
++ goto err_free_netdev;
++ }
+
+ priv->is_lite = params->is_lite;
+ priv->num_rx_desc_words = params->num_rx_desc_words;
+--
+2.25.1
+
--- /dev/null
+From d8a1bd6436e1adb424b3061363d3e774b93c103b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:12:54 +0200
+Subject: netfilter: nf_tables: add NFTA_SET_USERDATA if not null
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 6f03bf43ee05b31d3822def2a80f11b3591c55b3 ]
+
+Kernel sends an empty NFTA_SET_USERDATA attribute with no value if
+userspace adds a set with no NFTA_SET_USERDATA attribute.
+
+Fixes: e6d8ecac9e68 ("netfilter: nf_tables: Add new attributes into nft_set to store user data.")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index f7129232c8250..c1920adb27e62 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3353,7 +3353,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
+ goto nla_put_failure;
+ }
+
+- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
++ if (set->udata &&
++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
+ goto nla_put_failure;
+
+ desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
+--
+2.25.1
+
--- /dev/null
+From 9fc46b2631524ed98a709359e3fd31762530b39c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 21:05:50 +0200
+Subject: netfilter: nf_tables: fix destination register zeroing
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ]
+
+Following bug was reported via irc:
+nft list ruleset
+ set knock_candidates_ipv4 {
+ type ipv4_addr . inet_service
+ size 65535
+ elements = { 127.0.0.1 . 123,
+ 127.0.0.1 . 123 }
+ }
+ ..
+ udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
+ udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
+
+It should not have been possible to add a duplicate set entry.
+
+After some debugging it turned out that the problem is the immediate
+value (123) in the second-to-last rule.
+
+Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
+not 6 and it turns out the kernel inserted
+
+inet firewall @knock_candidates_ipv4
+ element 0100007f ffff7b00 : 0 [end]
+ element 0100007f 00007b00 : 0 [end]
+
+Note the non-zero upper bits of the first element. It turns out that
+nft_immediate doesn't zero the destination register, but this is needed
+when the length isn't a multiple of 4.
+
+Furthermore, the zeroing in nft_payload is broken. We can't use
+[len / 4] = 0 -- if len is a multiple of 4, index is off by one.
+
+Skip zeroing in this case and use a conditional instead of (len -1) / 4.
+
+Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nft_payload.c | 4 +++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 2d0275f13bbfd..bc2c73f549622 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(u32 *sreg)
+ static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
+ unsigned int len)
+ {
++ if (len % NFT_REG32_SIZE)
++ dst[len / NFT_REG32_SIZE] = 0;
+ memcpy(dst, src, len);
+ }
+
+diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
+index 0e3bfbc26e790..62dc728bf93c9 100644
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -79,7 +79,9 @@ void nft_payload_eval(const struct nft_expr *expr,
+ u32 *dest = ®s->data[priv->dreg];
+ int offset;
+
+- dest[priv->len / NFT_REG32_SIZE] = 0;
++ if (priv->len % NFT_REG32_SIZE)
++ dest[priv->len / NFT_REG32_SIZE] = 0;
++
+ switch (priv->base) {
+ case NFT_PAYLOAD_LL_HEADER:
+ if (!skb_mac_header_was_set(skb))
+--
+2.25.1
+
--- /dev/null
+From 5ea27e2ec0bbbb4f7cebf01feeb4dabda049c785 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:12:55 +0200
+Subject: netfilter: nf_tables: incorrect enum nft_list_attributes definition
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit da9125df854ea48a6240c66e8a67be06e2c12c03 ]
+
+This should be NFTA_LIST_UNSPEC instead of NFTA_LIST_UNPEC, all other
+similar attribute definitions are postfixed with _UNSPEC.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/nf_tables.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
+index ed8881ad18edd..0a995403172cc 100644
+--- a/include/uapi/linux/netfilter/nf_tables.h
++++ b/include/uapi/linux/netfilter/nf_tables.h
+@@ -132,7 +132,7 @@ enum nf_tables_msg_types {
+ * @NFTA_LIST_ELEM: list element (NLA_NESTED)
+ */
+ enum nft_list_attributes {
+- NFTA_LIST_UNPEC,
++ NFTA_LIST_UNSPEC,
+ NFTA_LIST_ELEM,
+ __NFTA_LIST_MAX
+ };
+--
+2.25.1
+
--- /dev/null
+From f02b52e37da916dac84f3a08d78e69a1baabbbb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 13:55:36 +0200
+Subject: netfilter: nfnetlink: nfnetlink_unicast() reports EAGAIN instead of
+ ENOBUFS
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit ee921183557af39c1a0475f982d43b0fcac25e2e ]
+
+Frontend callback reports EAGAIN to nfnetlink to retry a command, this
+is used to signal that module autoloading is required. Unfortunately,
+nlmsg_unicast() reports EAGAIN in case the receiver socket buffer gets
+full, so it enters a busy-loop.
+
+This patch updates nfnetlink_unicast() to turn EAGAIN into ENOBUFS and
+to use nlmsg_unicast(). Remove the flags field in nfnetlink_unicast()
+since this is always MSG_DONTWAIT in the existing code which is exactly
+what nlmsg_unicast() passes to netlink_unicast() as parameter.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter/nfnetlink.h | 3 +-
+ net/netfilter/nf_tables_api.c | 61 ++++++++++++++---------------
+ net/netfilter/nfnetlink.c | 11 ++++--
+ net/netfilter/nfnetlink_log.c | 3 +-
+ net/netfilter/nfnetlink_queue.c | 2 +-
+ 5 files changed, 40 insertions(+), 40 deletions(-)
+
+diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
+index 851425c3178f1..89016d08f6a27 100644
+--- a/include/linux/netfilter/nfnetlink.h
++++ b/include/linux/netfilter/nfnetlink.h
+@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group);
+ int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid,
+ unsigned int group, int echo, gfp_t flags);
+ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error);
+-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
+- int flags);
++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid);
+
+ static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type)
+ {
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c1920adb27e62..2023650c27249 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -744,11 +744,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk,
+ nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
+ family, table);
+ if (err < 0)
+- goto err;
++ goto err_fill_table_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+
+-err:
++err_fill_table_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -1443,11 +1443,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk,
+ nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
+ family, table, chain);
+ if (err < 0)
+- goto err;
++ goto err_fill_chain_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+
+-err:
++err_fill_chain_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -2622,11 +2622,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
+ nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
+ family, table, chain, rule, NULL);
+ if (err < 0)
+- goto err;
++ goto err_fill_rule_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+
+-err:
++err_fill_rule_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -3526,11 +3526,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
+
+ err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
+ if (err < 0)
+- goto err;
++ goto err_fill_set_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
+
+-err:
++err_fill_set_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -4305,24 +4305,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ err = -ENOMEM;
+ skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
+ if (skb == NULL)
+- goto err1;
++ return err;
+
+ err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
+ NFT_MSG_NEWSETELEM, 0, set, &elem);
+ if (err < 0)
+- goto err2;
++ goto err_fill_setelem;
+
+- err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
+- /* This avoids a loop in nfnetlink. */
+- if (err < 0)
+- goto err1;
++ return nfnetlink_unicast(skb, ctx->net, ctx->portid);
+
+- return 0;
+-err2:
++err_fill_setelem:
+ kfree_skb(skb);
+-err1:
+- /* this avoids a loop in nfnetlink. */
+- return err == -EAGAIN ? -ENOBUFS : err;
++ return err;
+ }
+
+ /* called with rcu_read_lock held */
+@@ -5499,10 +5493,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk,
+ nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
+ family, table, obj, reset);
+ if (err < 0)
+- goto err;
++ goto err_fill_obj_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
+-err:
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
++
++err_fill_obj_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -6174,10 +6169,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
+ NFT_MSG_NEWFLOWTABLE, 0, family,
+ flowtable);
+ if (err < 0)
+- goto err;
++ goto err_fill_flowtable_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
+-err:
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
++
++err_fill_flowtable_info:
+ kfree_skb(skb2);
+ return err;
+ }
+@@ -6338,10 +6334,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk,
+ err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
+ nlh->nlmsg_seq);
+ if (err < 0)
+- goto err;
++ goto err_fill_gen_info;
+
+- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
+-err:
++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
++
++err_fill_gen_info:
+ kfree_skb(skb2);
+ return err;
+ }
+diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
+index 99127e2d95a84..6d03b09096210 100644
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -148,10 +148,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error)
+ }
+ EXPORT_SYMBOL_GPL(nfnetlink_set_err);
+
+-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
+- int flags)
++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid)
+ {
+- return netlink_unicast(net->nfnl, skb, portid, flags);
++ int err;
++
++ err = nlmsg_unicast(net->nfnl, skb, portid);
++ if (err == -EAGAIN)
++ err = -ENOBUFS;
++
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(nfnetlink_unicast);
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 0ba020ca38e68..7ca2ca4bba055 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
+ goto out;
+ }
+ }
+- nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
+- MSG_DONTWAIT);
++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid);
+ out:
+ inst->qlen = 0;
+ inst->skb = NULL;
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index feabdfb22920b..6f0a2bad8ad5e 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
+ *packet_id_ptr = htonl(entry->id);
+
+ /* nfnetlink_unicast will either free the nskb or add it to a socket */
+- err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT);
++ err = nfnetlink_unicast(nskb, net, queue->peer_portid);
+ if (err < 0) {
+ if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
+ failopen = 1;
+--
+2.25.1
+
--- /dev/null
+From bc1cb94594f3dcb748ac92db3e686526759a58e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 10:53:04 -0700
+Subject: nvme: fix controller instance leak
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 192f6c29bb28bfd0a17e6ad331d09f1ec84143d0 ]
+
+If the driver has to unbind from the controller for an early failure
+before the subsystem has been set up, there won't be a subsystem holding
+the controller's instance, so the controller needs to free its own
+instance in this case.
+
+Fixes: 733e4b69d508d ("nvme: Assign subsys instance from first ctrl")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index ff5681da8780d..3cb017fa3a790 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -4012,7 +4012,7 @@ static void nvme_free_ctrl(struct device *dev)
+ container_of(dev, struct nvme_ctrl, ctrl_device);
+ struct nvme_subsystem *subsys = ctrl->subsys;
+
+- if (subsys && ctrl->instance != subsys->instance)
++ if (!subsys || ctrl->instance != subsys->instance)
+ ida_simple_remove(&nvme_instance_ida, ctrl->instance);
+
+ kfree(ctrl->effects);
+--
+2.25.1
+
--- /dev/null
+From 5302a49daa582615da14dbfeaa8712c44639c9b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 09:58:19 +0200
+Subject: nvmet-fc: Fix a missed _irqsave version of spin_lock in
+ 'nvmet_fc_fod_op_done()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 70e37988db94aba607d5491a94f80ba08e399b6b ]
+
+The way 'spin_lock()' and 'spin_lock_irqsave()' are used is not consistent
+in this function.
+
+Use 'spin_lock_irqsave()' also here, as there is no guarantee that
+interruptions are disabled at that point, according to surrounding code.
+
+Fixes: a97ec51b37ef ("nvmet_fc: Rework target side abort handling")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
+index ce8d819f86ccc..fc35f7ae67b0a 100644
+--- a/drivers/nvme/target/fc.c
++++ b/drivers/nvme/target/fc.c
+@@ -1994,9 +1994,9 @@ nvmet_fc_fod_op_done(struct nvmet_fc_fcp_iod *fod)
+ return;
+ if (fcpreq->fcp_error ||
+ fcpreq->transferred_length != fcpreq->transfer_length) {
+- spin_lock(&fod->flock);
++ spin_lock_irqsave(&fod->flock, flags);
+ fod->abort = true;
+- spin_unlock(&fod->flock);
++ spin_unlock_irqrestore(&fod->flock, flags);
+
+ nvmet_req_complete(&fod->req, NVME_SC_INTERNAL);
+ return;
+--
+2.25.1
+
--- /dev/null
+From 4a127ea83732dc7b71f9b792c0bf6e8710e9a5b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 00:25:10 +0900
+Subject: perf jevents: Fix suspicious code in fixregex()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit e62458e3940eb3dfb009481850e140fbee183b04 ]
+
+The new string should have enough space for the original string and the
+back slashes IMHO.
+
+Fixes: fbc2844e84038ce3 ("perf vendor events: Use more flexible pattern matching for CPU identification for mapfile.csv")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <andi@firstfloor.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: William Cohen <wcohen@redhat.com>
+Link: http://lore.kernel.org/lkml/20200903152510.489233-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/pmu-events/jevents.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
+index 99e3fd04a5cb3..d36ae65ae3330 100644
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -137,7 +137,7 @@ static char *fixregex(char *s)
+ return s;
+
+ /* allocate space for a new string */
+- fixed = (char *) malloc(len + 1);
++ fixed = (char *) malloc(len + esc_count + 1);
+ if (!fixed)
+ return NULL;
+
+--
+2.25.1
+
--- /dev/null
+From 2eca1c72c6d0669fce63ec067fdce44d01f9bdf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 12:10:14 -0300
+Subject: perf tools: Correct SNOOPX field offset
+
+From: Al Grant <al.grant@foss.arm.com>
+
+[ Upstream commit 39c0a53b114d0317e5c4e76b631f41d133af5cb0 ]
+
+perf_event.h has macros that define the field offsets in the data_src
+bitmask in perf records. The SNOOPX and REMOTE offsets were both 37.
+
+These are distinct fields, and the bitfield layout in perf_mem_data_src
+confirms that SNOOPX should be at offset 38.
+
+Committer notes:
+
+This was extracted from a larger patch that also contained kernel
+changes.
+
+Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings")
+Signed-off-by: Al Grant <al.grant@arm.com>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/9974f2d0-bf7f-518e-d9f7-4520e5ff1bb0@foss.arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/uapi/linux/perf_event.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/include/uapi/linux/perf_event.h b/tools/include/uapi/linux/perf_event.h
+index bb7b271397a66..fabe5aeaa351a 100644
+--- a/tools/include/uapi/linux/perf_event.h
++++ b/tools/include/uapi/linux/perf_event.h
+@@ -1131,7 +1131,7 @@ union perf_mem_data_src {
+
+ #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */
+ /* 1 free */
+-#define PERF_MEM_SNOOPX_SHIFT 37
++#define PERF_MEM_SNOOPX_SHIFT 38
+
+ /* locked instruction */
+ #define PERF_MEM_LOCK_NA 0x01 /* not available */
+--
+2.25.1
+
--- /dev/null
+From 0995dcfb52720a3df87aae91f914947f3e57605f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 18:43:07 +0900
+Subject: ravb: Fixed to be able to unload modules
+
+From: Yuusuke Ashizuka <ashiduka@fujitsu.com>
+
+[ Upstream commit 1838d6c62f57836639bd3d83e7855e0ee4f6defc ]
+
+When this driver is built as a module, I cannot rmmod it after insmoding
+it.
+This is because that this driver calls ravb_mdio_init() at the time of
+probe, and module->refcnt is incremented by alloc_mdio_bitbang() called
+after that.
+Therefore, even if ifup is not performed, the driver is in use and rmmod
+cannot be performed.
+
+$ lsmod
+Module Size Used by
+ravb 40960 1
+$ rmmod ravb
+rmmod: ERROR: Module ravb is in use
+
+Call ravb_mdio_init() at open and free_mdio_bitbang() at close, thereby
+rmmod is possible in the ifdown state.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Yuusuke Ashizuka <ashiduka@fujitsu.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 110 +++++++++++------------
+ 1 file changed, 55 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 30cdabf64ccc1..907ae1359a7c1 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1336,6 +1336,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler,
+ return error;
+ }
+
++/* MDIO bus init function */
++static int ravb_mdio_init(struct ravb_private *priv)
++{
++ struct platform_device *pdev = priv->pdev;
++ struct device *dev = &pdev->dev;
++ int error;
++
++ /* Bitbang init */
++ priv->mdiobb.ops = &bb_ops;
++
++ /* MII controller setting */
++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
++ if (!priv->mii_bus)
++ return -ENOMEM;
++
++ /* Hook up MII support for ethtool */
++ priv->mii_bus->name = "ravb_mii";
++ priv->mii_bus->parent = dev;
++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
++ pdev->name, pdev->id);
++
++ /* Register MDIO bus */
++ error = of_mdiobus_register(priv->mii_bus, dev->of_node);
++ if (error)
++ goto out_free_bus;
++
++ return 0;
++
++out_free_bus:
++ free_mdio_bitbang(priv->mii_bus);
++ return error;
++}
++
++/* MDIO bus release function */
++static int ravb_mdio_release(struct ravb_private *priv)
++{
++ /* Unregister mdio bus */
++ mdiobus_unregister(priv->mii_bus);
++
++ /* Free bitbang info */
++ free_mdio_bitbang(priv->mii_bus);
++
++ return 0;
++}
++
+ /* Network device open function for Ethernet AVB */
+ static int ravb_open(struct net_device *ndev)
+ {
+@@ -1344,6 +1389,13 @@ static int ravb_open(struct net_device *ndev)
+ struct device *dev = &pdev->dev;
+ int error;
+
++ /* MDIO bus init */
++ error = ravb_mdio_init(priv);
++ if (error) {
++ netdev_err(ndev, "failed to initialize MDIO\n");
++ return error;
++ }
++
+ napi_enable(&priv->napi[RAVB_BE]);
+ napi_enable(&priv->napi[RAVB_NC]);
+
+@@ -1421,6 +1473,7 @@ out_free_irq:
+ out_napi_off:
+ napi_disable(&priv->napi[RAVB_NC]);
+ napi_disable(&priv->napi[RAVB_BE]);
++ ravb_mdio_release(priv);
+ return error;
+ }
+
+@@ -1730,6 +1783,8 @@ static int ravb_close(struct net_device *ndev)
+ ravb_ring_free(ndev, RAVB_BE);
+ ravb_ring_free(ndev, RAVB_NC);
+
++ ravb_mdio_release(priv);
++
+ return 0;
+ }
+
+@@ -1881,51 +1936,6 @@ static const struct net_device_ops ravb_netdev_ops = {
+ .ndo_set_features = ravb_set_features,
+ };
+
+-/* MDIO bus init function */
+-static int ravb_mdio_init(struct ravb_private *priv)
+-{
+- struct platform_device *pdev = priv->pdev;
+- struct device *dev = &pdev->dev;
+- int error;
+-
+- /* Bitbang init */
+- priv->mdiobb.ops = &bb_ops;
+-
+- /* MII controller setting */
+- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
+- if (!priv->mii_bus)
+- return -ENOMEM;
+-
+- /* Hook up MII support for ethtool */
+- priv->mii_bus->name = "ravb_mii";
+- priv->mii_bus->parent = dev;
+- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
+- pdev->name, pdev->id);
+-
+- /* Register MDIO bus */
+- error = of_mdiobus_register(priv->mii_bus, dev->of_node);
+- if (error)
+- goto out_free_bus;
+-
+- return 0;
+-
+-out_free_bus:
+- free_mdio_bitbang(priv->mii_bus);
+- return error;
+-}
+-
+-/* MDIO bus release function */
+-static int ravb_mdio_release(struct ravb_private *priv)
+-{
+- /* Unregister mdio bus */
+- mdiobus_unregister(priv->mii_bus);
+-
+- /* Free bitbang info */
+- free_mdio_bitbang(priv->mii_bus);
+-
+- return 0;
+-}
+-
+ static const struct of_device_id ravb_match_table[] = {
+ { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 },
+ { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 },
+@@ -2166,13 +2176,6 @@ static int ravb_probe(struct platform_device *pdev)
+ eth_hw_addr_random(ndev);
+ }
+
+- /* MDIO bus init */
+- error = ravb_mdio_init(priv);
+- if (error) {
+- dev_err(&pdev->dev, "failed to initialize MDIO\n");
+- goto out_dma_free;
+- }
+-
+ netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64);
+ netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64);
+
+@@ -2194,8 +2197,6 @@ static int ravb_probe(struct platform_device *pdev)
+ out_napi_del:
+ netif_napi_del(&priv->napi[RAVB_NC]);
+ netif_napi_del(&priv->napi[RAVB_BE]);
+- ravb_mdio_release(priv);
+-out_dma_free:
+ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
+ priv->desc_bat_dma);
+
+@@ -2227,7 +2228,6 @@ static int ravb_remove(struct platform_device *pdev)
+ unregister_netdev(ndev);
+ netif_napi_del(&priv->napi[RAVB_NC]);
+ netif_napi_del(&priv->napi[RAVB_BE]);
+- ravb_mdio_release(priv);
+ pm_runtime_disable(&pdev->dev);
+ free_netdev(ndev);
+ platform_set_drvdata(pdev, NULL);
+--
+2.25.1
+
--- /dev/null
+From 4ac45d73bcbde02547c06301cf915d48d6511bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:12:33 +0100
+Subject: rxrpc: Keep the ACK serial in a var in rxrpc_input_ack()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 68528d937dcd675e79973061c1a314db598162d1 ]
+
+Keep the ACK serial number in a variable in rxrpc_input_ack() as it's used
+frequently.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/input.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 22dec6049e1bb..6cace43b217ee 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -844,7 +844,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
+ struct rxrpc_ackinfo info;
+ u8 acks[RXRPC_MAXACKS];
+ } buf;
+- rxrpc_serial_t acked_serial;
++ rxrpc_serial_t ack_serial, acked_serial;
+ rxrpc_seq_t first_soft_ack, hard_ack, prev_pkt;
+ int nr_acks, offset, ioffset;
+
+@@ -857,6 +857,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
+ }
+ offset += sizeof(buf.ack);
+
++ ack_serial = sp->hdr.serial;
+ acked_serial = ntohl(buf.ack.serial);
+ first_soft_ack = ntohl(buf.ack.firstPacket);
+ prev_pkt = ntohl(buf.ack.previousPacket);
+@@ -865,31 +866,31 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
+ summary.ack_reason = (buf.ack.reason < RXRPC_ACK__INVALID ?
+ buf.ack.reason : RXRPC_ACK__INVALID);
+
+- trace_rxrpc_rx_ack(call, sp->hdr.serial, acked_serial,
++ trace_rxrpc_rx_ack(call, ack_serial, acked_serial,
+ first_soft_ack, prev_pkt,
+ summary.ack_reason, nr_acks);
+
+ if (buf.ack.reason == RXRPC_ACK_PING_RESPONSE)
+ rxrpc_input_ping_response(call, skb->tstamp, acked_serial,
+- sp->hdr.serial);
++ ack_serial);
+ if (buf.ack.reason == RXRPC_ACK_REQUESTED)
+ rxrpc_input_requested_ack(call, skb->tstamp, acked_serial,
+- sp->hdr.serial);
++ ack_serial);
+
+ if (buf.ack.reason == RXRPC_ACK_PING) {
+- _proto("Rx ACK %%%u PING Request", sp->hdr.serial);
++ _proto("Rx ACK %%%u PING Request", ack_serial);
+ rxrpc_propose_ACK(call, RXRPC_ACK_PING_RESPONSE,
+- sp->hdr.serial, true, true,
++ ack_serial, true, true,
+ rxrpc_propose_ack_respond_to_ping);
+ } else if (sp->hdr.flags & RXRPC_REQUEST_ACK) {
+ rxrpc_propose_ACK(call, RXRPC_ACK_REQUESTED,
+- sp->hdr.serial, true, true,
++ ack_serial, true, true,
+ rxrpc_propose_ack_respond_to_ack);
+ }
+
+ /* Discard any out-of-order or duplicate ACKs (outside lock). */
+ if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) {
+- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial,
++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial,
+ first_soft_ack, call->ackr_first_seq,
+ prev_pkt, call->ackr_prev_seq);
+ return;
+@@ -905,7 +906,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
+
+ /* Discard any out-of-order or duplicate ACKs (inside lock). */
+ if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) {
+- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial,
++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial,
+ first_soft_ack, call->ackr_first_seq,
+ prev_pkt, call->ackr_prev_seq);
+ goto out;
+@@ -965,7 +966,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
+ RXRPC_TX_ANNO_LAST &&
+ summary.nr_acks == call->tx_top - hard_ack &&
+ rxrpc_is_client_call(call))
+- rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial,
++ rxrpc_propose_ACK(call, RXRPC_ACK_PING, ack_serial,
+ false, true,
+ rxrpc_propose_ack_ping_for_lost_reply);
+
+--
+2.25.1
+
--- /dev/null
+From 0b647ba3c11fbf8f44fcb34b7e4a11e0d7d16660 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 15:13:00 +0100
+Subject: rxrpc: Make rxrpc_kernel_get_srtt() indicate validity
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 1d4adfaf65746203861c72d9d78de349eb97d528 ]
+
+Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned
+smoothed RTT. If we haven't had any valid samples yet, the SRTT isn't
+useful.
+
+Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/fs_probe.c | 4 ++--
+ fs/afs/vl_probe.c | 4 ++--
+ include/net/af_rxrpc.h | 2 +-
+ net/rxrpc/peer_object.c | 16 +++++++++++++---
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
+index 02e976ca5732f..51ee3dd79700f 100644
+--- a/fs/afs/fs_probe.c
++++ b/fs/afs/fs_probe.c
+@@ -92,8 +92,8 @@ responded:
+ }
+ }
+
+- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
+- if (rtt_us < server->probe.rtt) {
++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
++ rtt_us < server->probe.rtt) {
+ server->probe.rtt = rtt_us;
+ alist->preferred = index;
+ have_result = true;
+diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c
+index e3aa013c21779..081b7e5b13f58 100644
+--- a/fs/afs/vl_probe.c
++++ b/fs/afs/vl_probe.c
+@@ -92,8 +92,8 @@ responded:
+ }
+ }
+
+- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
+- if (rtt_us < server->probe.rtt) {
++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
++ rtt_us < server->probe.rtt) {
+ server->probe.rtt = rtt_us;
+ alist->preferred = index;
+ have_result = true;
+diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
+index ab988940bf045..55b980b21f4b4 100644
+--- a/include/net/af_rxrpc.h
++++ b/include/net/af_rxrpc.h
+@@ -59,7 +59,7 @@ bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *,
+ void rxrpc_kernel_end_call(struct socket *, struct rxrpc_call *);
+ void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *,
+ struct sockaddr_rxrpc *);
+-u32 rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *);
++bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *);
+ int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t,
+ rxrpc_user_attach_call_t, unsigned long, gfp_t,
+ unsigned int);
+diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
+index efce27802a74f..e011594adcd13 100644
+--- a/net/rxrpc/peer_object.c
++++ b/net/rxrpc/peer_object.c
+@@ -500,11 +500,21 @@ EXPORT_SYMBOL(rxrpc_kernel_get_peer);
+ * rxrpc_kernel_get_srtt - Get a call's peer smoothed RTT
+ * @sock: The socket on which the call is in progress.
+ * @call: The call to query
++ * @_srtt: Where to store the SRTT value.
+ *
+- * Get the call's peer smoothed RTT.
++ * Get the call's peer smoothed RTT in uS.
+ */
+-u32 rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call)
++bool rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call,
++ u32 *_srtt)
+ {
+- return call->peer->srtt_us >> 3;
++ struct rxrpc_peer *peer = call->peer;
++
++ if (peer->rtt_count == 0) {
++ *_srtt = 1000000; /* 1S */
++ return false;
++ }
++
++ *_srtt = call->peer->srtt_us >> 3;
++ return true;
+ }
+ EXPORT_SYMBOL(rxrpc_kernel_get_srtt);
+--
+2.25.1
+
--- /dev/null
+From 826dc3bde7bfe8b89b9490289e70ff74d8dcc47e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 10:17:36 +0200
+Subject: selftests/bpf: Fix massive output from test_maps
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit fa4505675e093e895b7ec49a76d44f6b5ad9602e ]
+
+When stdout output from the selftests tool 'test_maps' gets redirected
+into e.g file or pipe, then the output lines increase a lot (from 21
+to 33949 lines). This is caused by the printf that happens before the
+fork() call, and there are user-space buffered printf data that seems
+to be duplicated into the forked process.
+
+To fix this fflush() stdout before the fork loop in __run_parallel().
+
+Fixes: 1a97cf1fe503 ("selftests/bpf: speedup test_maps")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/159842985651.1050885.2154399297503372406.stgit@firesoul
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
+index c812f0178b643..1c4219ceced2f 100644
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -1282,6 +1282,8 @@ static void __run_parallel(unsigned int tasks,
+ pid_t pid[tasks];
+ int i;
+
++ fflush(stdout);
++
+ for (i = 0; i < tasks; i++) {
+ pid[i] = fork();
+ if (pid[i] == 0) {
+--
+2.25.1
+
drm-amd-display-fix-memleak-in-amdgpu_dm_mode_config.patch
xen-xenbus-fix-granting-of-vmalloc-d-memory.patch
fsldma-fix-very-broken-32-bit-ppc-ioread64-functiona.patch
+dmaengine-of-dma-fix-of_dma_router_xlate-s-of_dma_xl.patch
+batman-adv-avoid-uninitialized-chaddr-when-handling-.patch
+batman-adv-fix-own-ogm-check-in-aggregated-ogms.patch
+batman-adv-bla-use-netif_rx_ni-when-not-in-interrupt.patch
+dmaengine-at_hdmac-check-return-value-of-of_find_dev.patch
+rxrpc-keep-the-ack-serial-in-a-var-in-rxrpc_input_ac.patch
+rxrpc-make-rxrpc_kernel_get_srtt-indicate-validity.patch
+mips-mm-bmips5000-has-inclusive-physical-caches.patch
+mips-bmips-also-call-bmips_cpu_setup-for-secondary-c.patch
+mmc-sdhci-acpi-fix-hs400-tuning-for-amdi0040.patch
+netfilter-nf_tables-add-nfta_set_userdata-if-not-nul.patch
+netfilter-nf_tables-incorrect-enum-nft_list_attribut.patch
+netfilter-nf_tables-fix-destination-register-zeroing.patch
+net-hns-fix-memleak-in-hns_nic_dev_probe.patch
+net-systemport-fix-memleak-in-bcm_sysport_probe.patch
+ravb-fixed-to-be-able-to-unload-modules.patch
+net-arc_emac-fix-memleak-in-arc_mdio_probe.patch
+dmaengine-pl330-fix-burst-length-if-burst-size-is-sm.patch
+gtp-add-gtpa_link-info-to-msg-sent-to-userspace.patch
+net-ethernet-ti-cpsw-fix-clean-up-of-vlan-mc-entries.patch
+bnxt_en-don-t-query-fw-when-netif_running-is-false.patch
+bnxt_en-check-for-zero-dir-entries-in-nvram.patch
+bnxt_en-fix-pci-aer-error-recovery-flow.patch
+bnxt_en-fix-possible-crash-in-bnxt_fw_reset_task.patch
+bnxt_en-fix-hwrm-error-when-querying-vf-temperature.patch
+xfs-fix-boundary-test-in-xfs_attr_shortform_verify.patch
+bnxt-don-t-enable-napi-until-rings-are-ready.patch
+media-vicodec-add-missing-v4l2_ctrl_request_hdl_put.patch
+media-cedrus-add-missing-v4l2_ctrl_request_hdl_put.patch
+selftests-bpf-fix-massive-output-from-test_maps.patch
+net-dsa-mt7530-fix-advertising-unsupported-1000baset.patch
+netfilter-nfnetlink-nfnetlink_unicast-reports-eagain.patch
+nvmet-fc-fix-a-missed-_irqsave-version-of-spin_lock-.patch
+nvme-fix-controller-instance-leak.patch
+cxgb4-fix-thermal-zone-device-registration.patch
+perf-tools-correct-snoopx-field-offset.patch
+net-ethernet-mlx4-fix-memory-allocation-in-mlx4_budd.patch
+fix-regression-in-epoll-keep-a-reference-on-files-ad.patch
+net-gemini-fix-another-missing-clk_disable_unprepare.patch
+drm-radeon-prefer-lower-feedback-dividers.patch
+mips-add-missing-msacsr-and-upper-msa-initialization.patch
+xfs-fix-xfs_bmap_validate_extent_raw-when-checking-a.patch
+perf-jevents-fix-suspicious-code-in-fixregex.patch
+tg3-fix-soft-lockup-when-tg3_reset_task-fails.patch
+x86-fakenuma-fix-invalid-starting-node-id.patch
+iommu-vt-d-serialize-iommu-gcmd-register-modificatio.patch
+thermal-ti-soc-thermal-fix-bogus-thermal-shutdowns-f.patch
+thermal-qcom-spmi-temp-alarm-don-t-suppress-negative.patch
+iommu-amd-restore-irte.remapen-bit-after-programming.patch
+net-packet-fix-overflow-in-tpacket_rcv.patch
+include-linux-log2.h-add-missing-around-n-in-roundup.patch
+vfio-type1-support-faulting-pfnmap-vmas.patch
+vfio-pci-fault-mmaps-to-enable-vma-tracking.patch
+vfio-pci-invalidate-mmaps-and-block-mmio-access-on-d.patch
--- /dev/null
+From db6e84afb80188a7a9e226964ea285ede92415d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 14:28:54 -0400
+Subject: tg3: Fix soft lockup when tg3_reset_task() fails.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 556699341efa98243e08e34401b3f601da91f5a3 ]
+
+If tg3_reset_task() fails, the device state is left in an inconsistent
+state with IFF_RUNNING still set but NAPI state not enabled. A
+subsequent operation, such as ifdown or AER error can cause it to
+soft lock up when it tries to disable NAPI state.
+
+Fix it by bringing down the device to !IFF_RUNNING state when
+tg3_reset_task() fails. tg3_reset_task() running from workqueue
+will now call tg3_close() when the reset fails. We need to
+modify tg3_reset_task_cancel() slightly to avoid tg3_close()
+calling cancel_work_sync() to cancel tg3_reset_task(). Otherwise
+cancel_work_sync() will wait forever for tg3_reset_task() to
+finish.
+
+Reported-by: David Christensen <drc@linux.vnet.ibm.com>
+Reported-by: Baptiste Covolato <baptiste@arista.com>
+Fixes: db2199737990 ("tg3: Schedule at most one tg3_reset_task run")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index e12ba81288e64..70bd79dc43f2e 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -7227,8 +7227,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp)
+
+ static inline void tg3_reset_task_cancel(struct tg3 *tp)
+ {
+- cancel_work_sync(&tp->reset_task);
+- tg3_flag_clear(tp, RESET_TASK_PENDING);
++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags))
++ cancel_work_sync(&tp->reset_task);
+ tg3_flag_clear(tp, TX_RECOVERY_PENDING);
+ }
+
+@@ -11219,18 +11219,27 @@ static void tg3_reset_task(struct work_struct *work)
+
+ tg3_halt(tp, RESET_KIND_SHUTDOWN, 0);
+ err = tg3_init_hw(tp, true);
+- if (err)
++ if (err) {
++ tg3_full_unlock(tp);
++ tp->irq_sync = 0;
++ tg3_napi_enable(tp);
++ /* Clear this flag so that tg3_reset_task_cancel() will not
++ * call cancel_work_sync() and wait forever.
++ */
++ tg3_flag_clear(tp, RESET_TASK_PENDING);
++ dev_close(tp->dev);
+ goto out;
++ }
+
+ tg3_netif_start(tp);
+
+-out:
+ tg3_full_unlock(tp);
+
+ if (!err)
+ tg3_phy_start(tp);
+
+ tg3_flag_clear(tp, RESET_TASK_PENDING);
++out:
+ rtnl_unlock();
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 2d3d749622d02cc8f7a8a0e4a79fb5e20401e6ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 09:52:51 -0700
+Subject: thermal: qcom-spmi-temp-alarm: Don't suppress negative temp
+
+From: Veera Vegivada <vvegivad@codeaurora.org>
+
+[ Upstream commit 0ffdab6f2dea9e23ec33230de24e492ff0b186d9 ]
+
+Currently driver is suppressing the negative temperature
+readings from the vadc. Consumers of the thermal zones need
+to read the negative temperature too. Don't suppress the
+readings.
+
+Fixes: c610afaa21d3c6e ("thermal: Add QPNP PMIC temperature alarm driver")
+Signed-off-by: Veera Vegivada <vvegivad@codeaurora.org>
+Signed-off-by: Guru Das Srinagesh <gurus@codeaurora.org>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/944856eb819081268fab783236a916257de120e4.1596040416.git.gurus@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+index bf7bae42c141c..6dc879fea9c8a 100644
+--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+- * Copyright (c) 2011-2015, 2017, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
+ */
+
+ #include <linux/bitops.h>
+@@ -191,7 +191,7 @@ static int qpnp_tm_get_temp(void *data, int *temp)
+ chip->temp = mili_celsius;
+ }
+
+- *temp = chip->temp < 0 ? 0 : chip->temp;
++ *temp = chip->temp;
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 55a914d650bc4cb832604fa67fc4e6b0d608f832 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 11:33:38 -0700
+Subject: thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 30d24faba0532d6972df79a1bf060601994b5873 ]
+
+We can sometimes get bogus thermal shutdowns on omap4430 at least with
+droid4 running idle with a battery charger connected:
+
+thermal thermal_zone0: critical temperature reached (143 C), shutting down
+
+Dumping out the register values shows we can occasionally get a 0x7f value
+that is outside the TRM listed values in the ADC conversion table. And then
+we get a normal value when reading again after that. Reading the register
+multiple times does not seem help avoiding the bogus values as they stay
+until the next sample is ready.
+
+Looking at the TRM chapter "18.4.10.2.3 ADC Codes Versus Temperature", we
+should have values from 13 to 107 listed with a total of 95 values. But
+looking at the omap4430_adc_to_temp array, the values are off, and the
+end values are missing. And it seems that the 4430 ADC table is similar
+to omap3630 rather than omap4460.
+
+Let's fix the issue by using values based on the omap3630 table and just
+ignoring invalid values. Compared to the 4430 TRM, the omap3630 table has
+the missing values added while the TRM table only shows every second
+value.
+
+Note that sometimes the ADC register values within the valid table can
+also be way off for about 1 out of 10 values. But it seems that those
+just show about 25 C too low values rather than too high values. So those
+do not cause a bogus thermal shutdown.
+
+Fixes: 1a31270e54d7 ("staging: omap-thermal: add OMAP4 data structures")
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200706183338.25622-1-tony@atomide.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ti-soc-thermal/omap4-thermal-data.c | 23 ++++++++++---------
+ .../thermal/ti-soc-thermal/omap4xxx-bandgap.h | 10 +++++---
+ 2 files changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
+index 63b02bfb2adf6..fdb8a495ab69a 100644
+--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
+@@ -37,20 +37,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = {
+
+ /*
+ * Temperature values in milli degree celsius
+- * ADC code values from 530 to 923
++ * ADC code values from 13 to 107, see TRM
++ * "18.4.10.2.3 ADC Codes Versus Temperature".
+ */
+ static const int
+ omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = {
+- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000,
+- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000,
+- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000,
+- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000,
+- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000,
+- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000,
+- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000,
+- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000,
+- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000,
+- 117000, 118000, 120000, 122000, 123000,
++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000,
++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000,
++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000,
++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500,
++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000,
++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000,
++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000,
++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000,
++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000,
++ 115000, 117000, 118500, 120000, 122000, 123500, 125000,
+ };
+
+ /* OMAP4430 data */
+diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
+index a453ff8eb313e..9a3955c3853ba 100644
+--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
+@@ -53,9 +53,13 @@
+ * and thresholds for OMAP4430.
+ */
+
+-/* ADC conversion table limits */
+-#define OMAP4430_ADC_START_VALUE 0
+-#define OMAP4430_ADC_END_VALUE 127
++/*
++ * ADC conversion table limits. Ignore values outside the TRM listed
++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter
++ * "18.4.10.2.3 ADC Codes Versus Temperature".
++ */
++#define OMAP4430_ADC_START_VALUE 13
++#define OMAP4430_ADC_END_VALUE 107
+ /* bandgap clock limits (no control on 4430) */
+ #define OMAP4430_MAX_FREQ 32768
+ #define OMAP4430_MIN_FREQ 32768
+--
+2.25.1
+
--- /dev/null
+From d206bf0d0a68c3fd8ef342d291f6619034363c1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 19:37:55 +0530
+Subject: vfio-pci: Fault mmaps to enable vma tracking
+
+From: Ajay Kaher <akaher@vmware.com>
+
+commit 11c4cd07ba111a09f49625f9e4c851d83daf0a22 upstream.
+
+Rather than calling remap_pfn_range() when a region is mmap'd, setup
+a vm_ops handler to support dynamic faulting of the range on access.
+This allows us to manage a list of vmas actively mapping the area that
+we can later use to invalidate those mappings. The open callback
+invalidates the vma range so that all tracking is inserted in the
+fault handler and removed in the close handler.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Ajay Kaher <akaher@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci.c | 76 ++++++++++++++++++++++++++++-
+ drivers/vfio/pci/vfio_pci_private.h | 7 +++
+ 2 files changed, 81 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index 02206162eaa9e..da1d1eac0def1 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -1192,6 +1192,70 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf,
+ return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true);
+ }
+
++static int vfio_pci_add_vma(struct vfio_pci_device *vdev,
++ struct vm_area_struct *vma)
++{
++ struct vfio_pci_mmap_vma *mmap_vma;
++
++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL);
++ if (!mmap_vma)
++ return -ENOMEM;
++
++ mmap_vma->vma = vma;
++
++ mutex_lock(&vdev->vma_lock);
++ list_add(&mmap_vma->vma_next, &vdev->vma_list);
++ mutex_unlock(&vdev->vma_lock);
++
++ return 0;
++}
++
++/*
++ * Zap mmaps on open so that we can fault them in on access and therefore
++ * our vma_list only tracks mappings accessed since last zap.
++ */
++static void vfio_pci_mmap_open(struct vm_area_struct *vma)
++{
++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
++}
++
++static void vfio_pci_mmap_close(struct vm_area_struct *vma)
++{
++ struct vfio_pci_device *vdev = vma->vm_private_data;
++ struct vfio_pci_mmap_vma *mmap_vma;
++
++ mutex_lock(&vdev->vma_lock);
++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
++ if (mmap_vma->vma == vma) {
++ list_del(&mmap_vma->vma_next);
++ kfree(mmap_vma);
++ break;
++ }
++ }
++ mutex_unlock(&vdev->vma_lock);
++}
++
++static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
++{
++ struct vm_area_struct *vma = vmf->vma;
++ struct vfio_pci_device *vdev = vma->vm_private_data;
++
++ if (vfio_pci_add_vma(vdev, vma))
++ return VM_FAULT_OOM;
++
++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
++ vma->vm_end - vma->vm_start, vma->vm_page_prot))
++ return VM_FAULT_SIGBUS;
++
++ return VM_FAULT_NOPAGE;
++}
++
++static const struct vm_operations_struct vfio_pci_mmap_ops = {
++ .open = vfio_pci_mmap_open,
++ .close = vfio_pci_mmap_close,
++ .fault = vfio_pci_mmap_fault,
++};
++
+ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
+ {
+ struct vfio_pci_device *vdev = device_data;
+@@ -1250,8 +1314,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff;
+
+- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+- req_len, vma->vm_page_prot);
++ /*
++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't
++ * change vm_flags within the fault handler. Set them now.
++ */
++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
++ vma->vm_ops = &vfio_pci_mmap_ops;
++
++ return 0;
+ }
+
+ static void vfio_pci_request(void *device_data, unsigned int count)
+@@ -1327,6 +1397,8 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ spin_lock_init(&vdev->irqlock);
+ mutex_init(&vdev->ioeventfds_lock);
+ INIT_LIST_HEAD(&vdev->ioeventfds_list);
++ mutex_init(&vdev->vma_lock);
++ INIT_LIST_HEAD(&vdev->vma_list);
+
+ ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev);
+ if (ret) {
+diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h
+index ee6ee91718a4d..898844894ed85 100644
+--- a/drivers/vfio/pci/vfio_pci_private.h
++++ b/drivers/vfio/pci/vfio_pci_private.h
+@@ -84,6 +84,11 @@ struct vfio_pci_reflck {
+ struct mutex lock;
+ };
+
++struct vfio_pci_mmap_vma {
++ struct vm_area_struct *vma;
++ struct list_head vma_next;
++};
++
+ struct vfio_pci_device {
+ struct pci_dev *pdev;
+ void __iomem *barmap[PCI_STD_RESOURCE_END + 1];
+@@ -122,6 +127,8 @@ struct vfio_pci_device {
+ struct list_head dummy_resources_list;
+ struct mutex ioeventfds_lock;
+ struct list_head ioeventfds_list;
++ struct mutex vma_lock;
++ struct list_head vma_list;
+ };
+
+ #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX)
+--
+2.25.1
+
--- /dev/null
+From 7f13ff01a76ef498616f4bbe85da2e496981a3c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 19:37:56 +0530
+Subject: vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
+
+From: Ajay Kaher <akaher@vmware.com>
+
+commit abafbc551fddede3e0a08dee1dcde08fc0eb8476 upstream.
+
+Accessing the disabled memory space of a PCI device would typically
+result in a master abort response on conventional PCI, or an
+unsupported request on PCI express. The user would generally see
+these as a -1 response for the read return data and the write would be
+silently discarded, possibly with an uncorrected, non-fatal AER error
+triggered on the host. Some systems however take it upon themselves
+to bring down the entire system when they see something that might
+indicate a loss of data, such as this discarded write to a disabled
+memory space.
+
+To avoid this, we want to try to block the user from accessing memory
+spaces while they're disabled. We start with a semaphore around the
+memory enable bit, where writers modify the memory enable state and
+must be serialized, while readers make use of the memory region and
+can access in parallel. Writers include both direct manipulation via
+the command register, as well as any reset path where the internal
+mechanics of the reset may both explicitly and implicitly disable
+memory access, and manipulation of the MSI-X configuration, where the
+MSI-X vector table resides in MMIO space of the device. Readers
+include the read and write file ops to access the vfio device fd
+offsets as well as memory mapped access. In the latter case, we make
+use of our new vma list support to zap, or invalidate, those memory
+mappings in order to force them to be faulted back in on access.
+
+Our semaphore usage will stall user access to MMIO spaces across
+internal operations like reset, but the user might experience new
+behavior when trying to access the MMIO space while disabled via the
+PCI command register. Access via read or write while disabled will
+return -EIO and access via memory maps will result in a SIGBUS. This
+is expected to be compatible with known use cases and potentially
+provides better error handling capabilities than present in the
+hardware, while avoiding the more readily accessible and severe
+platform error responses that might otherwise occur.
+
+Fixes: CVE-2020-12888
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Ajay Kaher <akaher@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci.c | 291 ++++++++++++++++++++++++----
+ drivers/vfio/pci/vfio_pci_config.c | 36 +++-
+ drivers/vfio/pci/vfio_pci_intrs.c | 14 ++
+ drivers/vfio/pci/vfio_pci_private.h | 8 +
+ drivers/vfio/pci/vfio_pci_rdwr.c | 24 ++-
+ 5 files changed, 330 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
+index da1d1eac0def1..0d16f9806655f 100644
+--- a/drivers/vfio/pci/vfio_pci.c
++++ b/drivers/vfio/pci/vfio_pci.c
+@@ -27,6 +27,7 @@
+ #include <linux/vfio.h>
+ #include <linux/vgaarb.h>
+ #include <linux/nospec.h>
++#include <linux/sched/mm.h>
+
+ #include "vfio_pci_private.h"
+
+@@ -177,6 +178,7 @@ no_mmap:
+
+ static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev);
+ static void vfio_pci_disable(struct vfio_pci_device *vdev);
++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data);
+
+ /*
+ * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND
+@@ -688,6 +690,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
+ return 0;
+ }
+
++struct vfio_devices {
++ struct vfio_device **devices;
++ int cur_index;
++ int max_index;
++};
++
+ static long vfio_pci_ioctl(void *device_data,
+ unsigned int cmd, unsigned long arg)
+ {
+@@ -761,7 +769,7 @@ static long vfio_pci_ioctl(void *device_data,
+ {
+ void __iomem *io;
+ size_t size;
+- u16 orig_cmd;
++ u16 cmd;
+
+ info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
+ info.flags = 0;
+@@ -781,10 +789,7 @@ static long vfio_pci_ioctl(void *device_data,
+ * Is it really there? Enable memory decode for
+ * implicit access in pci_map_rom().
+ */
+- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd);
+- pci_write_config_word(pdev, PCI_COMMAND,
+- orig_cmd | PCI_COMMAND_MEMORY);
+-
++ cmd = vfio_pci_memory_lock_and_enable(vdev);
+ io = pci_map_rom(pdev, &size);
+ if (io) {
+ info.flags = VFIO_REGION_INFO_FLAG_READ;
+@@ -792,8 +797,8 @@ static long vfio_pci_ioctl(void *device_data,
+ } else {
+ info.size = 0;
+ }
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
+
+- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd);
+ break;
+ }
+ case VFIO_PCI_VGA_REGION_INDEX:
+@@ -936,8 +941,16 @@ static long vfio_pci_ioctl(void *device_data,
+ return ret;
+
+ } else if (cmd == VFIO_DEVICE_RESET) {
+- return vdev->reset_works ?
+- pci_try_reset_function(vdev->pdev) : -EINVAL;
++ int ret;
++
++ if (!vdev->reset_works)
++ return -EINVAL;
++
++ vfio_pci_zap_and_down_write_memory_lock(vdev);
++ ret = pci_try_reset_function(vdev->pdev);
++ up_write(&vdev->memory_lock);
++
++ return ret;
+
+ } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) {
+ struct vfio_pci_hot_reset_info hdr;
+@@ -1017,8 +1030,9 @@ reset_info_exit:
+ int32_t *group_fds;
+ struct vfio_pci_group_entry *groups;
+ struct vfio_pci_group_info info;
++ struct vfio_devices devs = { .cur_index = 0 };
+ bool slot = false;
+- int i, count = 0, ret = 0;
++ int i, group_idx, mem_idx = 0, count = 0, ret = 0;
+
+ minsz = offsetofend(struct vfio_pci_hot_reset, count);
+
+@@ -1070,9 +1084,9 @@ reset_info_exit:
+ * user interface and store the group and iommu ID. This
+ * ensures the group is held across the reset.
+ */
+- for (i = 0; i < hdr.count; i++) {
++ for (group_idx = 0; group_idx < hdr.count; group_idx++) {
+ struct vfio_group *group;
+- struct fd f = fdget(group_fds[i]);
++ struct fd f = fdget(group_fds[group_idx]);
+ if (!f.file) {
+ ret = -EBADF;
+ break;
+@@ -1085,8 +1099,9 @@ reset_info_exit:
+ break;
+ }
+
+- groups[i].group = group;
+- groups[i].id = vfio_external_user_iommu_id(group);
++ groups[group_idx].group = group;
++ groups[group_idx].id =
++ vfio_external_user_iommu_id(group);
+ }
+
+ kfree(group_fds);
+@@ -1105,13 +1120,63 @@ reset_info_exit:
+ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
+ vfio_pci_validate_devs,
+ &info, slot);
+- if (!ret)
+- /* User has access, do the reset */
+- ret = pci_reset_bus(vdev->pdev);
++ if (ret)
++ goto hot_reset_release;
++
++ devs.max_index = count;
++ devs.devices = kcalloc(count, sizeof(struct vfio_device *),
++ GFP_KERNEL);
++ if (!devs.devices) {
++ ret = -ENOMEM;
++ goto hot_reset_release;
++ }
++
++ /*
++ * We need to get memory_lock for each device, but devices
++ * can share mmap_sem, therefore we need to zap and hold
++ * the vma_lock for each device, and only then get each
++ * memory_lock.
++ */
++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
++ vfio_pci_try_zap_and_vma_lock_cb,
++ &devs, slot);
++ if (ret)
++ goto hot_reset_release;
++
++ for (; mem_idx < devs.cur_index; mem_idx++) {
++ struct vfio_pci_device *tmp;
++
++ tmp = vfio_device_data(devs.devices[mem_idx]);
++
++ ret = down_write_trylock(&tmp->memory_lock);
++ if (!ret) {
++ ret = -EBUSY;
++ goto hot_reset_release;
++ }
++ mutex_unlock(&tmp->vma_lock);
++ }
++
++ /* User has access, do the reset */
++ ret = pci_reset_bus(vdev->pdev);
+
+ hot_reset_release:
+- for (i--; i >= 0; i--)
+- vfio_group_put_external_user(groups[i].group);
++ for (i = 0; i < devs.cur_index; i++) {
++ struct vfio_device *device;
++ struct vfio_pci_device *tmp;
++
++ device = devs.devices[i];
++ tmp = vfio_device_data(device);
++
++ if (i < mem_idx)
++ up_write(&tmp->memory_lock);
++ else
++ mutex_unlock(&tmp->vma_lock);
++ vfio_device_put(device);
++ }
++ kfree(devs.devices);
++
++ for (group_idx--; group_idx >= 0; group_idx--)
++ vfio_group_put_external_user(groups[group_idx].group);
+
+ kfree(groups);
+ return ret;
+@@ -1192,8 +1257,126 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf,
+ return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true);
+ }
+
+-static int vfio_pci_add_vma(struct vfio_pci_device *vdev,
+- struct vm_area_struct *vma)
++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */
++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try)
++{
++ struct vfio_pci_mmap_vma *mmap_vma, *tmp;
++
++ /*
++ * Lock ordering:
++ * vma_lock is nested under mmap_sem for vm_ops callback paths.
++ * The memory_lock semaphore is used by both code paths calling
++ * into this function to zap vmas and the vm_ops.fault callback
++ * to protect the memory enable state of the device.
++ *
++ * When zapping vmas we need to maintain the mmap_sem => vma_lock
++ * ordering, which requires using vma_lock to walk vma_list to
++ * acquire an mm, then dropping vma_lock to get the mmap_sem and
++ * reacquiring vma_lock. This logic is derived from similar
++ * requirements in uverbs_user_mmap_disassociate().
++ *
++ * mmap_sem must always be the top-level lock when it is taken.
++ * Therefore we can only hold the memory_lock write lock when
++ * vma_list is empty, as we'd need to take mmap_sem to clear
++ * entries. vma_list can only be guaranteed empty when holding
++ * vma_lock, thus memory_lock is nested under vma_lock.
++ *
++ * This enables the vm_ops.fault callback to acquire vma_lock,
++ * followed by memory_lock read lock, while already holding
++ * mmap_sem without risk of deadlock.
++ */
++ while (1) {
++ struct mm_struct *mm = NULL;
++
++ if (try) {
++ if (!mutex_trylock(&vdev->vma_lock))
++ return 0;
++ } else {
++ mutex_lock(&vdev->vma_lock);
++ }
++ while (!list_empty(&vdev->vma_list)) {
++ mmap_vma = list_first_entry(&vdev->vma_list,
++ struct vfio_pci_mmap_vma,
++ vma_next);
++ mm = mmap_vma->vma->vm_mm;
++ if (mmget_not_zero(mm))
++ break;
++
++ list_del(&mmap_vma->vma_next);
++ kfree(mmap_vma);
++ mm = NULL;
++ }
++ if (!mm)
++ return 1;
++ mutex_unlock(&vdev->vma_lock);
++
++ if (try) {
++ if (!down_read_trylock(&mm->mmap_sem)) {
++ mmput(mm);
++ return 0;
++ }
++ } else {
++ down_read(&mm->mmap_sem);
++ }
++ if (mmget_still_valid(mm)) {
++ if (try) {
++ if (!mutex_trylock(&vdev->vma_lock)) {
++ up_read(&mm->mmap_sem);
++ mmput(mm);
++ return 0;
++ }
++ } else {
++ mutex_lock(&vdev->vma_lock);
++ }
++ list_for_each_entry_safe(mmap_vma, tmp,
++ &vdev->vma_list, vma_next) {
++ struct vm_area_struct *vma = mmap_vma->vma;
++
++ if (vma->vm_mm != mm)
++ continue;
++
++ list_del(&mmap_vma->vma_next);
++ kfree(mmap_vma);
++
++ zap_vma_ptes(vma, vma->vm_start,
++ vma->vm_end - vma->vm_start);
++ }
++ mutex_unlock(&vdev->vma_lock);
++ }
++ up_read(&mm->mmap_sem);
++ mmput(mm);
++ }
++}
++
++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev)
++{
++ vfio_pci_zap_and_vma_lock(vdev, false);
++ down_write(&vdev->memory_lock);
++ mutex_unlock(&vdev->vma_lock);
++}
++
++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev)
++{
++ u16 cmd;
++
++ down_write(&vdev->memory_lock);
++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd);
++ if (!(cmd & PCI_COMMAND_MEMORY))
++ pci_write_config_word(vdev->pdev, PCI_COMMAND,
++ cmd | PCI_COMMAND_MEMORY);
++
++ return cmd;
++}
++
++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd)
++{
++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd);
++ up_write(&vdev->memory_lock);
++}
++
++/* Caller holds vma_lock */
++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev,
++ struct vm_area_struct *vma)
+ {
+ struct vfio_pci_mmap_vma *mmap_vma;
+
+@@ -1202,10 +1385,7 @@ static int vfio_pci_add_vma(struct vfio_pci_device *vdev,
+ return -ENOMEM;
+
+ mmap_vma->vma = vma;
+-
+- mutex_lock(&vdev->vma_lock);
+ list_add(&mmap_vma->vma_next, &vdev->vma_list);
+- mutex_unlock(&vdev->vma_lock);
+
+ return 0;
+ }
+@@ -1239,15 +1419,32 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
+ {
+ struct vm_area_struct *vma = vmf->vma;
+ struct vfio_pci_device *vdev = vma->vm_private_data;
++ vm_fault_t ret = VM_FAULT_NOPAGE;
++
++ mutex_lock(&vdev->vma_lock);
++ down_read(&vdev->memory_lock);
++
++ if (!__vfio_pci_memory_enabled(vdev)) {
++ ret = VM_FAULT_SIGBUS;
++ mutex_unlock(&vdev->vma_lock);
++ goto up_out;
++ }
++
++ if (__vfio_pci_add_vma(vdev, vma)) {
++ ret = VM_FAULT_OOM;
++ mutex_unlock(&vdev->vma_lock);
++ goto up_out;
++ }
+
+- if (vfio_pci_add_vma(vdev, vma))
+- return VM_FAULT_OOM;
++ mutex_unlock(&vdev->vma_lock);
+
+ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+ vma->vm_end - vma->vm_start, vma->vm_page_prot))
+- return VM_FAULT_SIGBUS;
++ ret = VM_FAULT_SIGBUS;
+
+- return VM_FAULT_NOPAGE;
++up_out:
++ up_read(&vdev->memory_lock);
++ return ret;
+ }
+
+ static const struct vm_operations_struct vfio_pci_mmap_ops = {
+@@ -1399,6 +1596,7 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ INIT_LIST_HEAD(&vdev->ioeventfds_list);
+ mutex_init(&vdev->vma_lock);
+ INIT_LIST_HEAD(&vdev->vma_list);
++ init_rwsem(&vdev->memory_lock);
+
+ ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev);
+ if (ret) {
+@@ -1588,12 +1786,6 @@ static void vfio_pci_reflck_put(struct vfio_pci_reflck *reflck)
+ kref_put_mutex(&reflck->kref, vfio_pci_reflck_release, &reflck_lock);
+ }
+
+-struct vfio_devices {
+- struct vfio_device **devices;
+- int cur_index;
+- int max_index;
+-};
+-
+ static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data)
+ {
+ struct vfio_devices *devs = data;
+@@ -1624,6 +1816,39 @@ static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data)
+ return 0;
+ }
+
++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data)
++{
++ struct vfio_devices *devs = data;
++ struct vfio_device *device;
++ struct vfio_pci_device *vdev;
++
++ if (devs->cur_index == devs->max_index)
++ return -ENOSPC;
++
++ device = vfio_device_get_from_dev(&pdev->dev);
++ if (!device)
++ return -EINVAL;
++
++ if (pci_dev_driver(pdev) != &vfio_pci_driver) {
++ vfio_device_put(device);
++ return -EBUSY;
++ }
++
++ vdev = vfio_device_data(device);
++
++ /*
++ * Locking multiple devices is prone to deadlock, runaway and
++ * unwind if we hit contention.
++ */
++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) {
++ vfio_device_put(device);
++ return -EBUSY;
++ }
++
++ devs->devices[devs->cur_index++] = device;
++ return 0;
++}
++
+ /*
+ * If a bus or slot reset is available for the provided device and:
+ * - All of the devices affected by that bus or slot reset are unused
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index d6359c37c9e55..e8646873dadb1 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -395,6 +395,14 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write)
+ *(__le32 *)(&p->write[off]) = cpu_to_le32(write);
+ }
+
++/* Caller should hold memory_lock semaphore */
++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev)
++{
++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
++
++ return cmd & PCI_COMMAND_MEMORY;
++}
++
+ /*
+ * Restore the *real* BARs after we detect a FLR or backdoor reset.
+ * (backdoor = some device specific technique that we didn't catch)
+@@ -554,13 +562,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
+
+ new_cmd = le32_to_cpu(val);
+
++ phys_io = !!(phys_cmd & PCI_COMMAND_IO);
++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
++ new_io = !!(new_cmd & PCI_COMMAND_IO);
++
+ phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY);
+ virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY);
+ new_mem = !!(new_cmd & PCI_COMMAND_MEMORY);
+
+- phys_io = !!(phys_cmd & PCI_COMMAND_IO);
+- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
+- new_io = !!(new_cmd & PCI_COMMAND_IO);
++ if (!new_mem)
++ vfio_pci_zap_and_down_write_memory_lock(vdev);
++ else
++ down_write(&vdev->memory_lock);
+
+ /*
+ * If the user is writing mem/io enable (new_mem/io) and we
+@@ -577,8 +590,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
+ }
+
+ count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
+- if (count < 0)
++ if (count < 0) {
++ if (offset == PCI_COMMAND)
++ up_write(&vdev->memory_lock);
+ return count;
++ }
+
+ /*
+ * Save current memory/io enable bits in vconfig to allow for
+@@ -589,6 +605,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
+
+ *virt_cmd &= cpu_to_le16(~mask);
+ *virt_cmd |= cpu_to_le16(new_cmd & mask);
++
++ up_write(&vdev->memory_lock);
+ }
+
+ /* Emulate INTx disable */
+@@ -826,8 +844,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
+ pos - offset + PCI_EXP_DEVCAP,
+ &cap);
+
+- if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) {
++ vfio_pci_zap_and_down_write_memory_lock(vdev);
+ pci_try_reset_function(vdev->pdev);
++ up_write(&vdev->memory_lock);
++ }
+ }
+
+ /*
+@@ -905,8 +926,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
+ pos - offset + PCI_AF_CAP,
+ &cap);
+
+- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) {
++ vfio_pci_zap_and_down_write_memory_lock(vdev);
+ pci_try_reset_function(vdev->pdev);
++ up_write(&vdev->memory_lock);
++ }
+ }
+
+ return count;
+diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
+index 2056f3f85f59b..1d9fb25929459 100644
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -249,6 +249,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
+ struct pci_dev *pdev = vdev->pdev;
+ unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI;
+ int ret;
++ u16 cmd;
+
+ if (!is_irq_none(vdev))
+ return -EINVAL;
+@@ -258,13 +259,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
+ return -ENOMEM;
+
+ /* return the number of supported vectors if we can't get all: */
++ cmd = vfio_pci_memory_lock_and_enable(vdev);
+ ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag);
+ if (ret < nvec) {
+ if (ret > 0)
+ pci_free_irq_vectors(pdev);
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
+ kfree(vdev->ctx);
+ return ret;
+ }
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
+
+ vdev->num_ctx = nvec;
+ vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX :
+@@ -287,6 +291,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+ struct pci_dev *pdev = vdev->pdev;
+ struct eventfd_ctx *trigger;
+ int irq, ret;
++ u16 cmd;
+
+ if (vector < 0 || vector >= vdev->num_ctx)
+ return -EINVAL;
+@@ -295,7 +300,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+
+ if (vdev->ctx[vector].trigger) {
+ irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
++
++ cmd = vfio_pci_memory_lock_and_enable(vdev);
+ free_irq(irq, vdev->ctx[vector].trigger);
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
++
+ kfree(vdev->ctx[vector].name);
+ eventfd_ctx_put(vdev->ctx[vector].trigger);
+ vdev->ctx[vector].trigger = NULL;
+@@ -323,6 +332,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+ * such a reset it would be unsuccessful. To avoid this, restore the
+ * cached value of the message prior to enabling.
+ */
++ cmd = vfio_pci_memory_lock_and_enable(vdev);
+ if (msix) {
+ struct msi_msg msg;
+
+@@ -332,6 +342,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+
+ ret = request_irq(irq, vfio_msihandler, 0,
+ vdev->ctx[vector].name, trigger);
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
+ if (ret) {
+ kfree(vdev->ctx[vector].name);
+ eventfd_ctx_put(trigger);
+@@ -376,6 +387,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
+ {
+ struct pci_dev *pdev = vdev->pdev;
+ int i;
++ u16 cmd;
+
+ for (i = 0; i < vdev->num_ctx; i++) {
+ vfio_virqfd_disable(&vdev->ctx[i].unmask);
+@@ -384,7 +396,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
+
+ vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix);
+
++ cmd = vfio_pci_memory_lock_and_enable(vdev);
+ pci_free_irq_vectors(pdev);
++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
+
+ /*
+ * Both disable paths above use pci_intx_for_msi() to clear DisINTx
+diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h
+index 898844894ed85..987b4d311fde9 100644
+--- a/drivers/vfio/pci/vfio_pci_private.h
++++ b/drivers/vfio/pci/vfio_pci_private.h
+@@ -129,6 +129,7 @@ struct vfio_pci_device {
+ struct list_head ioeventfds_list;
+ struct mutex vma_lock;
+ struct list_head vma_list;
++ struct rw_semaphore memory_lock;
+ };
+
+ #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX)
+@@ -171,6 +172,13 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
+ extern int vfio_pci_set_power_state(struct vfio_pci_device *vdev,
+ pci_power_t state);
+
++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev);
++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device
++ *vdev);
++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev);
++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev,
++ u16 cmd);
++
+ #ifdef CONFIG_VFIO_PCI_IGD
+ extern int vfio_pci_igd_init(struct vfio_pci_device *vdev);
+ #else
+diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
+index 0120d8324a402..83f81d24df78e 100644
+--- a/drivers/vfio/pci/vfio_pci_rdwr.c
++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
+@@ -162,6 +162,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+ size_t x_start = 0, x_end = 0;
+ resource_size_t end;
+ void __iomem *io;
++ struct resource *res = &vdev->pdev->resource[bar];
+ ssize_t done;
+
+ if (pci_resource_start(pdev, bar))
+@@ -177,6 +178,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+
+ count = min(count, (size_t)(end - pos));
+
++ if (res->flags & IORESOURCE_MEM) {
++ down_read(&vdev->memory_lock);
++ if (!__vfio_pci_memory_enabled(vdev)) {
++ up_read(&vdev->memory_lock);
++ return -EIO;
++ }
++ }
++
+ if (bar == PCI_ROM_RESOURCE) {
+ /*
+ * The ROM can fill less space than the BAR, so we start the
+@@ -184,13 +193,17 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+ * filling large ROM BARs much faster.
+ */
+ io = pci_map_rom(pdev, &x_start);
+- if (!io)
+- return -ENOMEM;
++ if (!io) {
++ done = -ENOMEM;
++ goto out;
++ }
+ x_end = end;
+ } else {
+ int ret = vfio_pci_setup_barmap(vdev, bar);
+- if (ret)
+- return ret;
++ if (ret) {
++ done = ret;
++ goto out;
++ }
+
+ io = vdev->barmap[bar];
+ }
+@@ -207,6 +220,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
+
+ if (bar == PCI_ROM_RESOURCE)
+ pci_unmap_rom(pdev, io);
++out:
++ if (res->flags & IORESOURCE_MEM)
++ up_read(&vdev->memory_lock);
+
+ return done;
+ }
+--
+2.25.1
+
--- /dev/null
+From 0c46b5eb230f39b74fe932771ab601eec182e573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 19:37:54 +0530
+Subject: vfio/type1: Support faulting PFNMAP vmas
+
+From: Ajay Kaher <akaher@vmware.com>
+
+commit 41311242221e3482b20bfed10fa4d9db98d87016 upstream.
+
+With conversion to follow_pfn(), DMA mapping a PFNMAP range depends on
+the range being faulted into the vma. Add support to manually provide
+that, in the same way as done on KVM with hva_to_pfn_remapped().
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Ajay Kaher <akaher@vmware.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 36 ++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index ca8c10aa4a4bc..c6220f57fdf3e 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -335,6 +335,32 @@ static int put_pfn(unsigned long pfn, int prot)
+ return 0;
+ }
+
++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm,
++ unsigned long vaddr, unsigned long *pfn,
++ bool write_fault)
++{
++ int ret;
++
++ ret = follow_pfn(vma, vaddr, pfn);
++ if (ret) {
++ bool unlocked = false;
++
++ ret = fixup_user_fault(NULL, mm, vaddr,
++ FAULT_FLAG_REMOTE |
++ (write_fault ? FAULT_FLAG_WRITE : 0),
++ &unlocked);
++ if (unlocked)
++ return -EAGAIN;
++
++ if (ret)
++ return ret;
++
++ ret = follow_pfn(vma, vaddr, pfn);
++ }
++
++ return ret;
++}
++
+ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
+ int prot, unsigned long *pfn)
+ {
+@@ -377,12 +403,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
+
+ vaddr = untagged_addr(vaddr);
+
++retry:
+ vma = find_vma_intersection(mm, vaddr, vaddr + 1);
+
+ if (vma && vma->vm_flags & VM_PFNMAP) {
+- if (!follow_pfn(vma, vaddr, pfn) &&
+- is_invalid_reserved_pfn(*pfn))
+- ret = 0;
++ ret = follow_fault_pfn(vma, mm, vaddr, pfn, prot & IOMMU_WRITE);
++ if (ret == -EAGAIN)
++ goto retry;
++
++ if (!ret && !is_invalid_reserved_pfn(*pfn))
++ ret = -EFAULT;
+ }
+
+ up_read(&mm->mmap_sem);
+--
+2.25.1
+
--- /dev/null
+From 336630c9b67172474c1dfb0235f0470309a5fd5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 14:10:47 +0800
+Subject: x86, fakenuma: Fix invalid starting node ID
+
+From: Huang Ying <ying.huang@intel.com>
+
+[ Upstream commit ccae0f36d500aef727f98acd8d0601e6b262a513 ]
+
+Commit:
+
+ cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability")
+
+uses "-1" as the starting node ID, which causes the strange kernel log as
+follows, when "numa=fake=32G" is added to the kernel command line:
+
+ Faking node -1 at [mem 0x0000000000000000-0x0000000893ffffff] (35136MB)
+ Faking node 0 at [mem 0x0000001840000000-0x000000203fffffff] (32768MB)
+ Faking node 1 at [mem 0x0000000894000000-0x000000183fffffff] (64192MB)
+ Faking node 2 at [mem 0x0000002040000000-0x000000283fffffff] (32768MB)
+ Faking node 3 at [mem 0x0000002840000000-0x000000303fffffff] (32768MB)
+
+And finally the kernel crashes:
+
+ BUG: Bad page state in process swapper pfn:00011
+ page:(____ptrval____) refcount:0 mapcount:1 mapping:(____ptrval____) index:0x55cd7e44b270 pfn:0x11
+ failed to read mapping contents, not a valid kernel address?
+ flags: 0x5(locked|uptodate)
+ raw: 0000000000000005 000055cd7e44af30 000055cd7e44af50 0000000100000006
+ raw: 000055cd7e44b270 000055cd7e44b290 0000000000000000 000055cd7e44b510
+ page dumped because: page still charged to cgroup
+ page->mem_cgroup:000055cd7e44b510
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper Not tainted 5.9.0-rc2 #1
+ Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
+ Call Trace:
+ dump_stack+0x57/0x80
+ bad_page.cold+0x63/0x94
+ __free_pages_ok+0x33f/0x360
+ memblock_free_all+0x127/0x195
+ mem_init+0x23/0x1f5
+ start_kernel+0x219/0x4f5
+ secondary_startup_64+0xb6/0xc0
+
+Fix this bug via using 0 as the starting node ID. This restores the
+original behavior before cc9aec03e58f.
+
+[ mingo: Massaged the changelog. ]
+
+Fixes: cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability")
+Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20200904061047.612950-1-ying.huang@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/numa_emulation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/numa_emulation.c b/arch/x86/mm/numa_emulation.c
+index abffa0be80da1..87282258d5bea 100644
+--- a/arch/x86/mm/numa_emulation.c
++++ b/arch/x86/mm/numa_emulation.c
+@@ -321,7 +321,7 @@ static int __init split_nodes_size_interleave(struct numa_meminfo *ei,
+ u64 addr, u64 max_addr, u64 size)
+ {
+ return split_nodes_size_interleave_uniform(ei, pi, addr, max_addr, size,
+- 0, NULL, NUMA_NO_NODE);
++ 0, NULL, 0);
+ }
+
+ int __init setup_emu2phys_nid(int *dfl_phys_nid)
+--
+2.25.1
+
--- /dev/null
+From 7294e9609f15b783e020e09321736c3f04fb69e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 14:11:58 -0700
+Subject: xfs: fix boundary test in xfs_attr_shortform_verify
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit f4020438fab05364018c91f7e02ebdd192085933 ]
+
+The boundary test for the fixed-offset parts of xfs_attr_sf_entry in
+xfs_attr_shortform_verify is off by one, because the variable array
+at the end is defined as nameval[1] not nameval[].
+Hence we need to subtract 1 from the calculation.
+
+This can be shown by:
+
+# touch file
+# setfattr -n root.a file
+
+and verifications will fail when it's written to disk.
+
+This only matters for a last attribute which has a single-byte name
+and no value, otherwise the combination of namelen & valuelen will
+push endp further out and this test won't fail.
+
+Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
+index f0089e862216c..fe277ee5ec7c4 100644
+--- a/fs/xfs/libxfs/xfs_attr_leaf.c
++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
+@@ -946,8 +946,10 @@ xfs_attr_shortform_verify(
+ * struct xfs_attr_sf_entry has a variable length.
+ * Check the fixed-offset parts of the structure are
+ * within the data buffer.
++ * xfs_attr_sf_entry is defined with a 1-byte variable
++ * array at the end, so we must subtract that off.
+ */
+- if (((char *)sfep + sizeof(*sfep)) >= endp)
++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
+ return __this_address;
+
+ /* Don't allow names with known bad length. */
+--
+2.25.1
+
--- /dev/null
+From 35135f92205ddb192114f656b1368a633387989b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 10:47:02 -0700
+Subject: xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt
+ files
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit d0c20d38af135b2b4b90aa59df7878ef0c8fbef4 ]
+
+The realtime flag only applies to the data fork, so don't use the
+realtime block number checks on the attr fork of a realtime file.
+
+Fixes: 30b0984d9117 ("xfs: refactor bmap record validation")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index 3f76da11197c4..19a600443b9ee 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -6179,7 +6179,7 @@ xfs_bmap_validate_extent(
+
+ isrt = XFS_IS_REALTIME_INODE(ip);
+ endfsb = irec->br_startblock + irec->br_blockcount - 1;
+- if (isrt) {
++ if (isrt && whichfork == XFS_DATA_FORK) {
+ if (!xfs_verify_rtbno(mp, irec->br_startblock))
+ return __this_address;
+ if (!xfs_verify_rtbno(mp, endfsb))
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
